fix oauth callback and integrate istio gateway with cert-manager for prod

Dockerfile

@@ -44,14 +44,8 @@ COPY --from=builder /app/guac /app/guac
 # Copy templates (if your application uses them from filesystem at runtime)
 COPY --from=builder /app/templates /app/templates
 
-# Create and copy certificates as before
+# Create certificates directory (certificates will be generated by init container)
 RUN mkdir -p /app/certs
-# COPY --from=builder /app/certs/ /app/certs/ # This line might not be needed if certs are always generated
-RUN echo "Generating self-signed certificates..." && \
-    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-      -keyout /app/certs/private.key \
-      -out /app/certs/certificate.crt \
-      -subj "/C=US/ST=California/L=San Francisco/O=My Company/CN=mydomain.com"
 
 ENV CERT_PATH=/app/certs/certificate.crt
 ENV CERT_KEY_PATH=/app/certs/private.key

Tiltfile

@@ -25,10 +25,18 @@ docker_build_with_restart(
     live_update=[
         sync('./.tilt/guac', '/app/guac'),
         sync('./templates', '/app/templates'),
+        sync('./certs', '/app/certs'),
         run('chmod +x /app/guac')  # Ensure binary is executable
     ]
 )
 
+k8s_resource(
+    'browser-sandbox-frontend',
+    port_forwards=['8080:80'],
+    labels=["frontend"],
+    auto_init=False
+)
+
 # Frontend (optional dev build) - uses Caddyfile.dev via build arg
 # Build only when needed; does not deploy any k8s resources here
 docker_build(

deployments/isito.yml

@@ -37,22 +37,24 @@ spec:
     - browser-sandbox-gateway
   http:
     - match:
-        - uri:
-            prefix: "/api"
+        - headers:
+            ":authority":
+              exact: "api.kubebrowse1.ghcat.tech"
       route:
         - destination:
             host: browser-sandbox-api
             port:
               number: 4567
     - match:
-        - uri:
-            prefix: "/websocket"
+        - headers:
+            ":authority":
+              exact: "app.kubebrowse1.ghcat.tech"
       route:
         - destination:
-            host: browser-sandbox-api
+            host: browser-sandbox-frontend
             port:
-              number: 4567
-    - route:  # Default route for frontend
+              number: 80
+    - route:  # Default route (fallback)
         - destination:
             host: browser-sandbox-frontend
             port:

deployments/manifest.yml

@@ -253,6 +253,24 @@ spec:
         app: browser-sandbox-api
     spec:
       serviceAccountName: browser-sandbox-sa
+      initContainers:
+        - name: cert-generator
+          image: alpine:3.20
+          command: ['sh', '-c']
+          args:
+            - |
+              apk add --no-cache openssl
+              mkdir -p /app/certs
+              echo "Generating self-signed certificates..."
+              openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+                -keyout /app/certs/private.key \
+                -out /app/certs/certificate.crt \
+                -subj "/C=US/ST=California/L=San Francisco/O=My Company/CN=mydomain.com"
+              echo "Certificates generated successfully"
+              ls -la /app/certs/
+          volumeMounts:
+            - name: certs-volume
+              mountPath: /app/certs
       containers:
         - name: api
           image:  ghcr.io/browsersec/kubebrowse:sha-09dfa1f
@@ -320,15 +338,15 @@ spec:
             - name: DISTRIBUTED_TRACING
               value: "true"
             - name: GITHUB_CLIENT_ID
-              value: "Ov23li974J8UoG1CH0HJ"
+              value: "Ov23liQQQ5lMyIrOULYx"
             - name: GITHUB_CLIENT_SECRET
-              value: "f16b7dc2b85d4a7f817e273b4a2d64124153ce8f"
+              value: "47afea55e0e19231e1cc82c3a57d56aaeedb480e"
             - name: GITHUB_CALLBACK_URL
               value: "https://localhost:4567/auth/oauth/github/callback"
             - name: SESSION_SECRET
               value: "McX0xoYlJYpO0EGdUZC6aJxVh2rKYrXZM7SPMpVREeXMXoMBI20v90PICD-LfEn7jr07c5vH2CWcKzjl8hoNvQ"
             - name: FRONTEND_URL
-              value: "http://localhost:5173"
+              value: "http://localhost:8080"
             - name: ENVIRONMENT
               value: "development"
             - name: SMTP_HOST
@@ -341,11 +359,17 @@ spec:
               value: "ulagdeliigobhdgr"
             - name: FROM_EMAIL
               value: "sanjay.obsidian@gmail.com"
-            # - name: CERT_PATH
-            #   value: ""
-            # - name: CERT_KEY_PATH
-            #   value: ""
+            - name: CERT_PATH
+              value: "/app/certs/certificate.crt"
+            - name: CERT_KEY_PATH
+              value: "/app/certs/private.key"
+          volumeMounts:
+            - name: certs-volume
+              mountPath: /app/certs
           securityContext: {}
+      volumes:
+        - name: certs-volume
+          emptyDir: {}
 ---
 # API Service
 apiVersion: v1

docs/CONTRIBUTING.md

@@ -6,7 +6,7 @@ order: 800
 
 # Contributing to KubeBrowse
 
-Thank you for your interest in contributing to GUAC! This document provides guidelines and instructions for contributing to this project.
+Thank you for your interest in contributing to KubeBrowse! This document provides guidelines and instructions for contributing to this project.
 
 ## Table of Contents
 
@@ -16,10 +16,14 @@ Thank you for your interest in contributing to GUAC! This document provides guid
   - [Getting Started](#getting-started)
     - [Development Environment Setup](#development-environment-setup)
     - [Troubleshooting Common Issues](#troubleshooting-common-issues)
+      - [Go Version Mismatch](#go-version-mismatch)
     - [Project Structure](#project-structure)
   - [Development Workflow](#development-workflow)
     - [Branching Strategy](#branching-strategy)
     - [Commit Guidelines](#commit-guidelines)
+      - [Conventional Commits Format](#conventional-commits-format)
+      - [DCO Sign-off Requirement](#dco-sign-off-requirement)
+      - [Example Commit](#example-commit)
     - [Pre-commit Hooks](#pre-commit-hooks)
   - [Pull Requests](#pull-requests)
     - [PR Process](#pr-process)
@@ -146,9 +150,11 @@ If you encounter errors like `compile: version "go1.24.0" does not match go tool
 
 ### Commit Guidelines
 
-We follow [Conventional Commits](https://www.conventionalcommits.org/) for commit messages:
+We follow [Conventional Commits](https://www.conventionalcommits.org/) for commit messages and require [Developer Certificate of Origin (DCO)](https://developercertificate.org/) sign-off for all contributions.
 
-```
+#### Conventional Commits Format
+
+```text
 <type>(<scope>): <description>
 
 <body>
@@ -157,6 +163,7 @@ We follow [Conventional Commits](https://www.conventionalcommits.org/) for commi
 ```
 
 Types include:
+
 - `feat`: A new feature
 - `fix`: A bug fix
 - `docs`: Documentation changes
@@ -165,14 +172,50 @@ Types include:
 - `test`: Adding or modifying tests
 - `chore`: Changes to the build process or auxiliary tools
 
-Example:
+#### DCO Sign-off Requirement
+
+All commits must include a `Signed-off-by` line to certify that you have the right to submit the code under the project's license. This is required by the [Developer Certificate of Origin](https://developercertificate.org/).
+
+**To sign off your commits automatically:**
+
+```bash
+# Configure git to always sign off commits (recommended)
+git config --global format.signoff true
+
+# Or use the -s flag for individual commits
+git commit -s -m "feat(api): add new authentication endpoint"
+```
+
+**To sign off existing commits:**
+
+```bash
+# Sign off the last commit
+git commit --amend --signoff
+
+# Sign off multiple commits using interactive rebase
+git rebase --signoff HEAD~<number-of-commits>
+
+# Force push to update the PR
+git push --force-with-lease
+```
+
+The sign-off line should look like:
+
+```text
+Signed-off-by: Your Name <your.email@example.com>
 ```
+
+#### Example Commit
+
+```text
 feat(api): add endpoint for user authentication
 
 - Implement JWT token generation
 - Add middleware for token validation
 
 Fixes #123
+
+Signed-off-by: John Doe <john.doe@example.com>
 ```
 
 ### Pre-commit Hooks
@@ -186,11 +229,13 @@ This project uses [Lefthook](https://github.com/evilmartians/lefthook) for manag
 - Potential secrets
 
 Install the hooks with:
+
 ```bash
 make hooks
 ```
 
 You can manually run the pre-commit checks:
+
 ```bash
 # Check only staged files
 make lint
@@ -251,5 +296,4 @@ If Lefthook is not found, you'll be prompted to install it. Lefthook hooks are a
 5. Tag the release with the version number
 6. Update documentation with release notes
 
-Thank you for contributing to GUAC!
-*
+Thank you for contributing to KubeBrowse!

frontend/Caddyfile.dev

@@ -8,14 +8,50 @@
     root * /srv
     file_server
 
-    # Handle OAuth callback redirects
-    handle /auth/success {
-        file_server
-        header Cache-Control "no-cache, no-store, must-revalidate"
+    # Authentication endpoints - proxy to backend API (excluding frontend routes)
+    handle /auth/oauth/* {
+        reverse_proxy {$CADDY_GUAC_CLIENT_URL} {
+            transport http {
+                tls
+                tls_insecure_skip_verify
+            }
+            header_up Host {http.reverse_proxy.upstream.hostport}
+            header_up Connection {header.Connection}
+            header_up Upgrade {header.Upgrade}
+
+            # Cookie handling for session management
+        }
     }
 
-    # Authentication endpoints - proxy to backend API
-    handle /auth/* {
+    handle /auth/login {
+        reverse_proxy {$CADDY_GUAC_CLIENT_URL} {
+            transport http {
+                tls
+                tls_insecure_skip_verify
+            }
+            header_up Host {http.reverse_proxy.upstream.hostport}
+            header_up Connection {header.Connection}
+            header_up Upgrade {header.Upgrade}
+
+            # Cookie handling for session management
+        }
+    }
+
+    handle /auth/me {
+        reverse_proxy {$CADDY_GUAC_CLIENT_URL} {
+            transport http {
+                tls
+                tls_insecure_skip_verify
+            }
+            header_up Host {http.reverse_proxy.upstream.hostport}
+            header_up Connection {header.Connection}
+            header_up Upgrade {header.Upgrade}
+
+            # Cookie handling for session management
+        }
+    }
+
+    handle /auth/logout {
         reverse_proxy {$CADDY_GUAC_CLIENT_URL} {
             transport http {
                 tls

frontend/src/components/auth/LoginForm.jsx

@@ -6,6 +6,7 @@ import { Label } from '../ui/label';
 import { Card } from '../ui/card';
 import { Alert } from '../ui/alert';
 import EmailVerification from './EmailVerification';
+import toast from 'react-hot-toast';
 
 export function LoginForm({ onSwitchToRegister }) {
   const [formData, setFormData] = useState({
@@ -32,13 +33,25 @@ export function LoginForm({ onSwitchToRegister }) {
 
     const result = await login(formData.email, formData.password);
 
-    if (!result.success) {
+    if (result.success) {
+      // Show success toast similar to OAuth flow
+      toast.success(`Welcome back, ${result.user?.name || result.user?.email || 'User'}!`, {
+        duration: 3000,
+        position: "top-right",
+        style: {
+          background: "#10B981",
+          color: "#fff",
+          fontWeight: "600",
+        },
+        iconTheme: { primary: "#fff", secondary: "#10B981" },
+      });
+      setIsSubmitting(false);
+    } else {
       if (result.needsVerification) {
         setShowEmailVerification(true);
       }
       setIsSubmitting(false);
     }
-    // If successful, the auth context will handle the state update
   };
 
   const handleGitHubLogin = () => {