ACM-33066 Trust OCM CA bundle for PlacementDebugServer proxy

[Randy424]

Summary

• Adds getPlacementDebugCACertificate() to read the OCM-managed CA bundle from PLACEMENT_CA_BUNDLE_PATH with file-watch rotation support
• Adds getPlacementDebugAgent() HTTPS agent that trusts the OCM CA bundle, with graceful fallback to getServiceAgent() when the env var is unset
• Switches the placement debug proxy route from getServiceAgent() to getPlacementDebugAgent()

Context

The PlacementDebugServer's TLS serving certificate is being moved from the OpenShift-specific serving-cert-secret-name annotation to the OCM-native CertRotationController (ocm#1505). The CertRotationController uses its own self-signed CA, so the console backend needs to trust that CA instead of (or in addition to) the OpenShift service-ca.

A separate backplane-operator PR will mount the OCM ca-bundle-configmap ConfigMap into the console pod and set PLACEMENT_CA_BUNDLE_PATH.

Files changed

File	Change
backend/src/lib/serviceAccountToken.ts	New getPlacementDebugCACertificate() — reads CA from arbitrary path, watches for rotation
backend/src/lib/agent.ts	New getPlacementDebugAgent() — HTTPS agent trusting OCM CA, falls back to service-ca agent
backend/src/routes/placementDebug.ts	Switch from getServiceAgent() to getPlacementDebugAgent()

Test plan

• Verify npm run check passes (lint, prettier, tsc)
• Verify fallback behavior: when PLACEMENT_CA_BUNDLE_PATH is unset, getPlacementDebugAgent() returns getServiceAgent() (no behavioral change)
• Verify custom agent: when PLACEMENT_CA_BUNDLE_PATH points to a valid cert file, a dedicated agent is created trusting that CA
• End-to-end validation requires the upstream OCM cert rotation PR and a backplane-operator mount PR

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Added HTTPS support for the placement-debug service with optional custom CA loaded from an env-configured path and runtime updates via file-watching; falls back to the default agent when no custom CA is available.
• Tests
  • Added tests covering CA loading, caching, cache invalidation on change, runtime transition, and fallback behavior.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Randy424

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Randy424]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 205889c0-0691-4c08-92b8-233fc630c1ac

📥 Commits

Reviewing files that changed from the base of the PR and between 90d182c and f32f82a.

📒 Files selected for processing (3)

• backend/src/lib/serviceAccountToken.ts
• backend/test/lib/agent.test.ts
• backend/test/lib/serviceAccountToken.test.ts

✅ Files skipped from review due to trivial changes (1)

• backend/test/lib/agent.test.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• backend/test/lib/serviceAccountToken.test.ts
• backend/src/lib/serviceAccountToken.ts

---

📝 Walkthrough

Walkthrough

Adds reading/caching of a placement-debug CA bundle, a placement-debug HTTPS agent factory that uses that CA (with cache invalidation on file-change outside development), and switches the placement-debug route to use the new agent. Tests for CA loading, caching, watching, agent creation, caching, invalidation, and fallback were added.

Changes

Placement-Debug Agent Integration

Layer / File(s)	Summary
Certificate Loading backend/src/lib/serviceAccountToken.ts	Adds getPlacementDebugCACertificate(onChange?): reads process.env.PLACEMENT_CA_BUNDLE_PATH synchronously, caches result, logs and returns undefined on read error, and (when NODE_ENV !== 'development') installs watchFile to clear cache and call optional onChange.
Agent Construction backend/src/lib/agent.ts	Adds cached placementDebugAgent and exported getPlacementDebugAgent(): returns an https.Agent constructed with placement-debug CA when getPlacementDebugCACertificate() yields certificates (registers an invalidation callback), otherwise falls back to getServiceAgent(). Reuses shared COMMON_AGENT_OPTIONS.
Route Integration backend/src/routes/placementDebug.ts	Replaces use of getServiceAgent() with getPlacementDebugAgent() when creating the upstream HTTPS request options.
Tests backend/test/lib/serviceAccountToken.test.ts, backend/test/lib/agent.test.ts	Adds Jest suites verifying CA read/caching/watch behavior and getPlacementDebugAgent() creation, caching, invalidation, runtime transition, and fallback to service agent.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    rect rgba(200,200,255,0.5)
    Participant Client
    end
    rect rgba(200,255,200,0.5)
    Participant Server as PlacementDebugRoute
    Participant AgentFactory as getPlacementDebugAgent
    Participant FS as FileSystem
    Participant Upstream
    end
    Client->>Server: HTTP request
    Server->>AgentFactory: getPlacementDebugAgent()
    AgentFactory->>FS: getPlacementDebugCACertificate() (cached or read file)
    FS-->>AgentFactory: CA bundle or undefined
    AgentFactory-->>Server: https.Agent (placement-debug CA or service agent)
    Server->>Upstream: HTTPS request using Agent
    Upstream-->>Server: response
    Server-->>Client: proxied response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description covers core details (summary, context, files changed, test plan) but does not follow the provided template structure, omits the required Type of Change selection, and lacks explicit Checklist completion.	Restructure the description to match the template format, explicitly select Type of Change (Feature), and complete or indicate status of the checklist items including test verification and JSDoc coverage.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ACM-33066 Trust OCM CA bundle for PlacementDebugServer proxy' clearly and specifically describes the main change: adding OCM CA bundle trust for the PlacementDebug proxy.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/src/lib/serviceAccountToken.ts`:
- Around line 118-120: The catch block in serviceAccountToken.ts currently
swallows the thrown error; update the catch to capture the error (e.g., catch
(err)) and include the error details in the warning log call to logger.warn
(preserve the existing msg and path fields but add the error or
err.message/stack as an additional field), then keep the fallback return
undefined; this change targets the catch around reading PLACEMENT_CA_BUNDLE_PATH
in the serviceAccountToken logic so you can locate it by the existing
logger.warn call.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0749bc05-637b-4632-b51b-4cb29b74de92

📥 Commits

Reviewing files that changed from the base of the PR and between 11225e7 and 293e9bd.

📒 Files selected for processing (3)

• backend/src/lib/agent.ts
• backend/src/lib/serviceAccountToken.ts
• backend/src/routes/placementDebug.ts

[Randy424]

/hold