fix(supervisor): scrape apiserver /metrics over https so TLS verifies against the cluster CA

nicktrn · nicktrn · commit 0160156b8a7c · 2026-06-24T12:04:40.000+01:00
diff --git a/apps/supervisor/src/clients/kubernetes.ts b/apps/supervisor/src/clients/kubernetes.ts
@@ -1,3 +1,4 @@
+import * as https from "node:https";
 import * as k8s from "@kubernetes/client-node";
 import { Informer } from "@kubernetes/client-node";
 import { ListPromise } from "@kubernetes/client-node";
@@ -67,12 +68,38 @@ export function createApiserverMetricsFetcher(): () => Promise<string> {
     if (!cluster) {
       throw new Error("no current cluster in kubeconfig");
     }
-    const requestInit = await kubeConfig.applyToFetchOptions({ method: "GET" });
-    // node-fetch vs DOM RequestInit: structurally compatible, declaration-only mismatch
-    const response = await fetch(`${cluster.server}/metrics`, requestInit as unknown as RequestInit);
-    if (!response.ok) {
-      throw new Error(`apiserver /metrics scrape failed: ${response.status}`);
-    }
-    return response.text();
+    const url = new URL(`${cluster.server}/metrics`);
+    const opts: https.RequestOptions = {
+      method: "GET",
+      protocol: url.protocol,
+      hostname: url.hostname,
+      port: url.port,
+      path: url.pathname,
+    };
+    // applyToHTTPSOptions sets the cluster CA, client cert/key, and auth headers
+    // (incl. exec plugins) on the request - so TLS verifies against the cluster
+    // CA, not the system store. The fetch-options path attaches the CA as an
+    // https.Agent, which global fetch (undici) ignores.
+    await kubeConfig.applyToHTTPSOptions(opts);
+
+    return new Promise<string>((resolve, reject) => {
+      const req = https.request(opts, (res) => {
+        const status = res.statusCode ?? 0;
+        let body = "";
+        res.setEncoding("utf8");
+        res.on("data", (chunk) => {
+          body += chunk;
+        });
+        res.on("end", () => {
+          if (status >= 200 && status < 300) {
+            resolve(body);
+          } else {
+            reject(new Error(`apiserver /metrics scrape failed: ${status}`));
+          }
+        });
+      });
+      req.on("error", reject);
+      req.end();
+    });
   };
 }
