func MakeUnauthenticatedRequest()

in internal/kubernetes/unauthenticated.go [17:64]

• 38 lines of code
• 8 McCabe index (conditional complexity)

func MakeUnauthenticatedRequest(ctx context.Context, endpoint string, caCertificate []byte) error {
	caCertPool := x509.NewCertPool()
	if !caCertPool.AppendCertsFromPEM(caCertificate) {
		return validation.WithRemediation(errors.New("failed to parse Cluster CA certificate"),
			"Ensure the Cluster CA certificate provided is correct.",
		)
	}

	client := &http.Client{
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{
				RootCAs: caCertPool,
			},
		},
	}

	req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
	if err != nil {
		return validation.WithRemediation(err, "Ensure the Kubernetes API server endpoint provided is correct.")
	}

	resp, err := client.Do(req)
	if err != nil {
		return validation.WithRemediation(err, "Ensure the provided Kubernetes API server endpoint is correct and the CA certificate is valid for that endpoint.")
	}

	defer resp.Body.Close()

	body, err := io.ReadAll(resp.Body)
	if err != nil {
		return fmt.Errorf("reading unauthenticated request response body: %w", err)
	}

	apiServerResp := &apiServerResponse{}
	if err = json.Unmarshal(body, apiServerResp); err != nil {
		return fmt.Errorf("unmarshalling unauthenticated request response: %w", err)
	}

	// We allow both Forbidden and Unauthorized status codes because the API server will return
	// The kube-API server used to return Forbidden but in k8s 1.32 it started returning Unauthorized.
	if resp.StatusCode != http.StatusForbidden && resp.StatusCode != http.StatusUnauthorized {
		return validation.WithRemediation(fmt.Errorf("expected status code from unauthenticated request %d or %d, got %d. Message: %s", http.StatusForbidden, http.StatusUnauthorized, resp.StatusCode, apiServerResp.Message),
			"Ensure the Kubernetes API server endpoint provided is correct and the CA certificate is valid for that endpoint.",
		)
	}

	return nil
}