Adding Support For mTLS Based Authentication Support For Kruize Datasource

[shekhar316]

Description

Added support for mTLS (Mutual TLS) authentication support in Kruize datasource connections, enabling secure certificate-based authentication with Prometheus and other monitoring systems.

Type of change

• Bug fix
• New feature
• Docs update
• Breaking change (What changes might users need to make in their application due to this PR?)
• Requires DB changes

Test Configuration

• Kubernetes clusters tested on: Kind

Checklist 🎯

• Followed coding guidelines
• Comments added
• Dependent changes merged
• Documentation updated
• Tests added or updated

Additional information

Image: quay.io/rh-ee-shesaxen/autotune:addmtls

DATASOURCE CONFIG 

"datasource": [
        {
          "name": "prometheus-kind",
          "provider": "prometheus",
          "url": "https://prometheus.monitoring.svc.cluster.local:9090",
          "authentication": {
            "type": "mtls",
            "credentials": {
              "clientCertPath": "/etc/kruize/certs/client.crt",
              "clientKeyPath": "/etc/kruize/certs/client.key",
              "caCertPath": "/etc/kruize/certs/ca.crt"
            }
          }
        }

ADD MTLS VOLUME WITH YOUR CERT FILES
          volumeMounts:
            - name: mtls-certs
              mountPath: /etc/kruize/certs
              readOnly: true

Summary by Sourcery

Add mutual TLS (mTLS) as a first-class authentication option for datasource HTTP clients and wire it through the existing authentication configuration and strategy framework.

New Features:

• Introduce MTLS authentication type alongside existing auth mechanisms for datasource connections.
• Parse and store mTLS client and CA certificate configuration from authentication settings into dedicated credentials and strategy classes.

Enhancements:

• Extend the generic REST API HTTP client to build an mTLS-enabled SSLContext (including client key/cert and optional CA) and support TLS 1.3, while avoiding Authorization headers when not needed for mTLS.

[sourcery-ai]

Reviewer's Guide

Implements a new mTLS authentication type for datasource HTTP connections by wiring it through the existing authentication configuration/strategy system and configuring the HTTP client’s SSLContext with client and CA certificates instead of Authorization headers.

Sequence diagram for mTLS datasource HTTP request

sequenceDiagram
    actor Caller
    participant AuthenticationConfig
    participant AuthenticationStrategyFactory
    participant MTLSAuthenticationStrategy
    participant GenericRestApiClient
    participant HttpClient as CloseableHttpClient
    participant Prometheus as PrometheusServer

    Caller->>AuthenticationConfig: createAuthenticationConfigObject(authJson)
    AuthenticationConfig-->>Caller: AuthenticationConfig(type=MTLS, credentials=MTLSCredentials)

    Caller->>AuthenticationStrategyFactory: createAuthenticationStrategy(authConfig)
    AuthenticationStrategyFactory->>MTLSAuthenticationStrategy: new MTLSAuthenticationStrategy(clientCertPath, clientKeyPath, caCertPath, keyPassword)
    AuthenticationStrategyFactory-->>Caller: MTLSAuthenticationStrategy

    Caller->>GenericRestApiClient: new GenericRestApiClient(authenticationStrategy)

    Caller->>GenericRestApiClient: fetchMetricsJson(methodType, queryString)
    GenericRestApiClient->>GenericRestApiClient: setupHttpClient()
    GenericRestApiClient->>GenericRestApiClient: createMTLSContext(mtlsStrategy)
    GenericRestApiClient->>GenericRestApiClient: loadCertificate(clientCertPath)
    GenericRestApiClient-->>GenericRestApiClient: X509Certificate clientCert
    GenericRestApiClient->>GenericRestApiClient: loadPrivateKey(clientKeyPath, keyPassword)
    GenericRestApiClient-->>GenericRestApiClient: PrivateKey privateKey
    GenericRestApiClient->>GenericRestApiClient: optionally loadCertificate(caCertPath)
    GenericRestApiClient-->>GenericRestApiClient: SSLContext with client and trust material
    GenericRestApiClient-->>HttpClient: configured HttpClient with mTLS SSLContext

    GenericRestApiClient->>GenericRestApiClient: applyAuthentication(httpRequest)
    MTLSAuthenticationStrategy-->>GenericRestApiClient: applyAuthentication() returns null
    GenericRestApiClient->>GenericRestApiClient: skip Authorization header (authHeader is null)

    HttpClient->>Prometheus: HTTPS request with TLS handshake (client cert)
    Prometheus-->>HttpClient: HTTPS response
    HttpClient-->>GenericRestApiClient: HTTP response
    GenericRestApiClient-->>Caller: metrics JSON

Loading

Class diagram for new mTLS authentication support

classDiagram
    class AuthType {
        <<enum>>
        BASIC
        BEARER
        API_KEY
        OAUTH2
        MTLS
        NONE
    }

    class Credentials {
        <<abstract>>
    }

    class MTLSCredentials {
        -String clientCertPath
        -String clientKeyPath
        -String caCertPath
        -String keyPassword
        +String getClientCertPath()
        +void setClientCertPath(String clientCertPath)
        +String getClientKeyPath()
        +void setClientKeyPath(String clientKeyPath)
        +String getCaCertPath()
        +void setCaCertPath(String caCertPath)
        +String getKeyPassword()
        +void setKeyPassword(String keyPassword)
        +boolean equals(Object o)
        +int hashCode()
        +String toString()
    }

    class AuthenticationConfig {
        -AuthType type
        -Credentials credentials
        +static AuthenticationConfig createAuthenticationConfigObject(JSONObject authObj)
        +AuthType getType()
        +Credentials getCredentials()
    }

    class AuthenticationStrategy {
        <<interface>>
        +String applyAuthentication()
    }

    class MTLSAuthenticationStrategy {
        -String clientCertPath
        -String clientKeyPath
        -String caCertPath
        -String keyPassword
        +MTLSAuthenticationStrategy(String clientCertPath, String clientKeyPath, String caCertPath, String keyPassword)
        +String applyAuthentication()
        +String getClientCertPath()
        +String getClientKeyPath()
        +String getCaCertPath()
        +String getKeyPassword()
    }

    class AuthenticationStrategyFactory {
        +static AuthenticationStrategy createAuthenticationStrategy(AuthenticationConfig authConfig)
    }

    class KruizeConstants_AuthenticationConstants {
        <<static>>
        +String AUTHENTICATION_CLIENT_CERT_PATH
        +String AUTHENTICATION_CLIENT_KEY_PATH
        +String AUTHENTICATION_CA_CERT_PATH
        +String AUTHENTICATION_KEY_PASSWORD
        +String MTLS
    }

    class GenericRestApiClient {
        -AuthenticationStrategy authenticationStrategy
        -CloseableHttpClient setupHttpClient()
        -SSLContext createMTLSContext(MTLSAuthenticationStrategy mtlsStrategy)
        -X509Certificate loadCertificate(String certPath)
        -PrivateKey loadPrivateKey(String keyPath, String password)
        -void applyAuthentication(HttpRequestBase httpRequestBase)
    }

    Credentials <|-- MTLSCredentials
    AuthenticationStrategy <|.. MTLSAuthenticationStrategy
    AuthenticationConfig o--> Credentials
    AuthenticationConfig o--> AuthType
    AuthenticationStrategyFactory ..> AuthenticationConfig : uses
    AuthenticationStrategyFactory ..> MTLSAuthenticationStrategy : creates
    GenericRestApiClient o--> AuthenticationStrategy
    GenericRestApiClient ..> MTLSAuthenticationStrategy : mtls specific
    GenericRestApiClient ..> KruizeConstants_AuthenticationConstants : uses
    AuthenticationConfig ..> KruizeConstants_AuthenticationConstants : uses
    MTLSCredentials ..> KruizeConstants_AuthenticationConstants : uses
    AuthType ..> KruizeConstants_AuthenticationConstants : alignsWith

Loading

File-Level Changes

Change	Details	Files
Extend GenericRestApiClient to support mTLS by building an SSLContext from client and CA certificates when the MTLS authentication strategy is configured.	Switch setupHttpClient to detect MTLSAuthenticationStrategy and create an mTLS-configured SSLContext, falling back to the previous trust-all SSLContext for other auth types Add TLSv1.3 support alongside TLSv1.2 in the SSLConnectionSocketFactory Introduce createMTLSContext to load client cert, private key, and CA cert into a KeyStore/TrustStore and build an SSLContext with key and trust material Implement helper methods loadCertificate and loadPrivateKey to read PEM-encoded X.509 certs and PKCS#8 private keys from disk, supporting RSA and EC keys Update applyAuthentication so it skips setting the Authorization header when the strategy returns null (mTLS)	src/main/java/com/autotune/utils/GenericRestApiClient.java
Add MTLS credentials type and strategy to the auth configuration pipeline so JSON datasource configs with type "mtls" are parsed and used.	Define MTLSCredentials with clientCertPath, clientKeyPath, caCertPath, and keyPassword fields plus equals/hashCode/toString Extend AuthenticationConfig.createAuthenticationConfigObject to construct MTLSCredentials from the authentication.credentials JSON object Update AuthenticationStrategyFactory to create an MTLSAuthenticationStrategy from MTLSCredentials and return it for AuthType.MTLS Add new authentication constants for mTLS JSON keys and the "mtls" type string, and extend AuthType enum with MTLS	src/main/java/com/autotune/common/auth/Credentials.java src/main/java/com/autotune/common/auth/AuthenticationConfig.java src/main/java/com/autotune/common/auth/AuthenticationStrategyFactory.java src/main/java/com/autotune/utils/KruizeConstants.java src/main/java/com/autotune/common/auth/AuthType.java
Introduce MTLSAuthenticationStrategy to represent mTLS in the auth strategy abstraction without using HTTP headers.	Create MTLSAuthenticationStrategy implementing AuthenticationStrategy, storing client and CA certificate paths and optional key password Document that mTLS is handled at the SSL/TLS layer and have applyAuthentication return null to signal no Authorization header is needed Add debug logging on initialization to record configured certificate paths	src/main/java/com/autotune/common/auth/MTLSAuthenticationStrategy.java

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

New security issues found

[sourcery-ai]

New security issues found

[sourcery-ai]

New security issues found

[khansaad]

LGTM

[shekhar316]

@dinogun can we please review this pr?

[chandrams]

@shekhar316 Please add a test for mtls authentication as a separate PR

[dinogun]

@shekhar316 Can you looking into the security issues highlighted here

[shekhar316]

@shekhar316 Can you looking into the security issues highlighted here

Hi @dinogun ,

Those are actually false positives.

The string
-----BEGIN RSA PRIVATE KEY-----
is included only as a static marker to identify and validate the format of an RSA private key provided at runtime.
No actual private keys are stored, hardcoded, logged, or exposed in the codebase. This value is part of the standard PEM specification and is used purely for input validation and example documentation purposes.

And about README files -

That block is not an actual private key.
It is a dummy/example representation included solely to demonstrate the expected PEM format of a private key for documentation purposes. The value does not belong to any real system, account, or environment and cannot be used for authentication or cryptographic operations.
No real secrets or private keys are stored, committed, or exposed in this repository.

[dinogun]

Rather than have all of this code in GenericRestApiClient, please move this to MTLSAuthenticationStrategy itself. AuthenticationStrategy should not be specific to Http based auth alone and should cover everything. That way we have a clean way of looking at everything related to MTLS as it was originally meant to be.

[shekhar316]

Sure, I have moved the mtls related methods to MTLSAuthenticationStrategy and kept GenericRestApiClient clean and common for all.

[dinogun]

Please add a link to this file from KruizeLocalAPI.md as well

[shekhar316]

Done

[dinogun]

Abstraction changes are looking good now