docs(sandbox): document verified TLS behavior of kubeconfig under Bun

[larryro]

Summary

Resolves #1849 — empirical verification of skipTLSVerify/caFile behavior under Bun.

Finding: both kubeconfig TLS knobs ARE honored. @kubernetes/client-node@1.4.0 uses node-fetch → https.request(), not Bun's native fetch(). Bun honors https.Agent options via https.request(), so neither skipTLSVerify nor caFile is dead code.

Key empirical results (Bun 1.3.14):

• skipTLSVerify: true → rejectUnauthorized: false in the https.Agent → TLS verification genuinely disabled ✓
• caFile → agent.ca populated and trusted ✓
• Client certs → agent.cert/agent.key sent correctly ✓
• Native fetch() with agent option → ignored (but @kubernetes/client-node doesn't use native fetch)

Contrast: Bun's native fetch() ignores the agent option. The prior "AUTH NOTE" was generalizing from native fetch behavior, which misrepresented what @kubernetes/client-node actually does.

Changes

• k8s-client.ts: Replace misleading AUTH NOTE with accurate TLS NOTE; extract makeK8sConfig() from makeK8sClient() to enable unit testing of kubeconfig options.
• k8s-client.test.ts: Add 3 unit tests covering the caFile branch, skipTLSVerify branch, and bearer-token wiring in makeK8sConfig().
• kubernetes.md: Demote NODE_EXTRA_CA_CERTS from "in-cluster required" to "optional (defence-in-depth)"; correct the false "Bun's fetch ignores the kubeconfig CA" claim; add note that both TLS knobs are verified to work.

Test plan

• bun test services/sandbox/src/backend/kubernetes/k8s-client.test.ts — 11 pass
• bun test services/sandbox/src/backend/kubernetes/ — 85 pass
• bun run typecheck — clean
• Empirical TLS tests run locally against a self-signed cert server (Bun 1.3.14): rejectUnauthorized: false, custom CA, and client cert — all honored via https.Agent + node-fetch

[coderabbitai]

Warning

Review limit reached

@larryro, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 51 minutes and 16 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 32419120-5d5d-4ee7-881b-2e8cd4349a7f

📥 Commits

Reviewing files that changed from the base of the PR and between 3777f80 and 33acec6.

📒 Files selected for processing (3)

• services/sandbox/docs/kubernetes.md
• services/sandbox/src/backend/kubernetes/k8s-client.test.ts
• services/sandbox/src/backend/kubernetes/k8s-client.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sandbox/k8s-verify-tls-knobs

Warning

Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[larryro]

⚠️ Conflicting PRs for #1849 — do NOT merge any of these until resolved.

Three open PRs address the same question, and two reach opposite conclusions about whether Bun honors kubeconfig TLS knobs:

• fix(sandbox): verify skipTLSVerify/caFile behavior of kubeconfig under Bun (#1849) #1919 — concludes skipTLSVerify/caFile ARE honored under Bun.
• fix(sandbox): verify skipTLSVerify/caFile kubeconfig behavior under Bun (#1849) #1916 — concludes Bun silently ignores them; only NODE_EXTRA_CA_CERTS works, and removes the "dead" code.
• docs(sandbox): document verified TLS behavior of kubeconfig under Bun #1926 — docs companion (aligns with fix(sandbox): verify skipTLSVerify/caFile behavior of kubeconfig under Bun (#1849) #1919).

This is security-critical: merging the wrong conclusion could leave TLS verification silently disabled in production, or remove code that was actually doing the verification. This cannot be resolved by review alone — it needs an empirical test under the real Bun version (issue a request with a kubeconfig carrying caFile/skipTLSVerify and observe whether TLS is actually enforced/skipped). Holding all three for a human decision; only the PR matching the verified behavior should be merged, the others closed.