sttts/logging.patch

## logging.patch
diff --git a/apis/generate.go b/apis/generate.go
index 001a9de0..b5bd1df0 100644
--- a/apis/generate.go
+++ b/apis/generate.go
@@ -23,6 +23,7 @@

 // Generate deepcopy methodsets and CRD manifests
 //go:generate go run -tags generate sigs.k8s.io/controller-tools/cmd/controller-gen object:headerFile=../hack/boilerplate.go.txt paths=./spaces/... crd:crdVersions=v1 output:artifacts:config=../package/crds
+//go:generate bash -c "for CRD in ../package/crds/*.yaml; do PATCH=patches/$DOLLAR(basename \"$DOLLAR{CRD}\")-patch; if [ -f \"$DOLLAR{PATCH}\" ]; then echo \"Applying $DOLLAR{PATCH}\"; go run -tags generate github.com/vmware-archive/yaml-patch/cmd/yaml-patch -o \"$DOLLAR{PATCH}\" < \"$DOLLAR{CRD}\" > \"$DOLLAR{CRD}.patched\" && mv \"$DOLLAR{CRD}.patched\" \"$DOLLAR{CRD}\"; fi; done"

 // Sync CRDs to spaces chart.
 //go:generate rm -rf ../cluster/charts/spaces/crds
diff --git a/apis/patches/spaces.upbound.io_controlplanes.yaml-patch b/apis/patches/spaces.upbound.io_controlplanes.yaml-patch
index e69de29b..543170fb 100644
--- a/apis/patches/spaces.upbound.io_controlplanes.yaml-patch
+++ b/apis/patches/spaces.upbound.io_controlplanes.yaml-patch
@@ -0,0 +1,3 @@
+- op: add
+  path: /spec/versions/name=v1alpha1/schema/openAPIV3Schema/format
+  value: "url"
diff --git a/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml b/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml
index e69de29b..7415f580 100644
--- a/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml
+++ b/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml
@@ -0,0 +1,29 @@
+apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
+kind: FlowSchema
+metadata:
+  name: exempt-token-and-subject-access-reviews
+spec:
+  # Setting higher priority to ensure it's evaluated before other FlowSchemas
+  priorityLevelConfiguration:
+    name: exempt
+  matchingPrecedence: 10000
+  rules:
+  - subjects:
+    # Matches all subjects (users, groups, service accounts)
+    - kind: Group
+      group:
+        name: system:authenticated
+    # Add other subjects if needed
+    resourceRules:
+    - verbs:
+      - '*'
+      resources:
+      - 'tokenreviews'
+      apiGroups:
+      - 'authentication.k8s.io'
+    - verbs:
+      - '*'
+      resources:
+      - 'subjectaccessreviews'
+      apiGroups:
+      - 'authorization.k8s.io'
diff --git a/cluster/charts/spaces/templates/router/clusterrole.yaml b/cluster/charts/spaces/templates/router/clusterrole.yaml
index c0097ae5..8194bc1f 100644
--- a/cluster/charts/spaces/templates/router/clusterrole.yaml
+++ b/cluster/charts/spaces/templates/router/clusterrole.yaml
@@ -9,7 +9,7 @@ rules:
 - apiGroups:
   - internal.spaces.upbound.io
   resources:
-  - hostclusters
+  - xhostclusters
   verbs:
   - get
   - list
diff --git a/cmd/gateway/main.go b/cmd/gateway/main.go
index e5c646c7..cfc6acff 100644
--- a/cmd/gateway/main.go
+++ b/cmd/gateway/main.go
@@ -19,7 +19,6 @@ import (
 	"golang.org/x/sync/errgroup"

 	"k8s.io/client-go/rest"
-	"k8s.io/client-go/transport"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
@@ -164,29 +163,19 @@ func (c *Command) runGateway(ctx context.Context, log logging.Logger) error {
 }

 func roundTripperForRestConfig(config *rest.Config) (http.RoundTripper, error) {
+	cpy := *config
+
 	// NOTE(epk): these values match the burst and QPS values in kubectl.
 	// xref: https://github.com/kubernetes/kubernetes/pull/105520
-	config.Burst = 300
-	config.QPS = 50
-
-	tlsConf, err := rest.TLSConfigFor(config)
-	if err != nil {
-		return nil, err
-	}
+	cpy.Burst = 300
+	cpy.QPS = 50

-	tlsTransport := &http.Transport{
-		TLSClientConfig: tlsConf,
-	}
-
-	restTransportConfig, err := config.TransportConfig()
+	rt, err := rest.TransportFor(&cpy)
 	if err != nil {
 		return nil, err
 	}

-	kubeRT, err := transport.HTTPWrappersForConfig(restTransportConfig, tlsTransport)
-	if err != nil {
-		return nil, err
-	}
+	fmt.Printf("rt: %v\n", rt)

-	return kubeRT, nil
+	return rt, nil
 }
diff --git a/internal/server/gateway/gateway.go b/internal/server/gateway/gateway.go
index 8510b074..bbda3cb3 100644
--- a/internal/server/gateway/gateway.go
+++ b/internal/server/gateway/gateway.go
@@ -12,6 +12,7 @@ import (

 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 	"github.com/go-chi/chi/v5"
+
 	"k8s.io/client-go/transport"

 	"github.com/upbound/mxe/internal/logging"
@@ -53,6 +54,7 @@ var (
 		"Accept-Encoding",
 		"Accept",
 		"User-Agent",
+		"Audit-Id",
 	}
 )

@@ -118,7 +120,6 @@ func (gw *Gateway) K8sHandler() http.HandlerFunc {
 		pReq.URL.Path = chi.URLParam(r, "*") // k8s/path -> path

 		proxy.ServeHTTP(w, pReq)
-
 	}
 }
	diff --git a/apis/generate.go b/apis/generate.go
	index 001a9de0..b5bd1df0 100644
	--- a/apis/generate.go
	+++ b/apis/generate.go
	@@ -23,6 +23,7 @@

	// Generate deepcopy methodsets and CRD manifests
	//go:generate go run -tags generate sigs.k8s.io/controller-tools/cmd/controller-gen object:headerFile=../hack/boilerplate.go.txt paths=./spaces/... crd:crdVersions=v1 output:artifacts:config=../package/crds
	+//go:generate bash -c "for CRD in ../package/crds/*.yaml; do PATCH=patches/$DOLLAR(basename \"$DOLLAR{CRD}\")-patch; if [ -f \"$DOLLAR{PATCH}\" ]; then echo \"Applying $DOLLAR{PATCH}\"; go run -tags generate github.com/vmware-archive/yaml-patch/cmd/yaml-patch -o \"$DOLLAR{PATCH}\" < \"$DOLLAR{CRD}\" > \"$DOLLAR{CRD}.patched\" && mv \"$DOLLAR{CRD}.patched\" \"$DOLLAR{CRD}\"; fi; done"

	// Sync CRDs to spaces chart.
	//go:generate rm -rf ../cluster/charts/spaces/crds
	diff --git a/apis/patches/spaces.upbound.io_controlplanes.yaml-patch b/apis/patches/spaces.upbound.io_controlplanes.yaml-patch
	index e69de29b..543170fb 100644
	--- a/apis/patches/spaces.upbound.io_controlplanes.yaml-patch
	+++ b/apis/patches/spaces.upbound.io_controlplanes.yaml-patch
	@@ -0,0 +1,3 @@
	+- op: add
	+ path: /spec/versions/name=v1alpha1/schema/openAPIV3Schema/format
	+ value: "url"
	diff --git a/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml b/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml
	index e69de29b..7415f580 100644
	--- a/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml
	+++ b/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml
	@@ -0,0 +1,29 @@
	+apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
	+kind: FlowSchema
	+metadata:
	+ name: exempt-token-and-subject-access-reviews
	+spec:
	+ # Setting higher priority to ensure it's evaluated before other FlowSchemas
	+ priorityLevelConfiguration:
	+ name: exempt
	+ matchingPrecedence: 10000
	+ rules:
	+ - subjects:
	+ # Matches all subjects (users, groups, service accounts)
	+ - kind: Group
	+ group:
	+ name: system:authenticated
	+ # Add other subjects if needed
	+ resourceRules:
	+ - verbs:
	+ - '*'
	+ resources:
	+ - 'tokenreviews'
	+ apiGroups:
	+ - 'authentication.k8s.io'
	+ - verbs:
	+ - '*'
	+ resources:
	+ - 'subjectaccessreviews'
	+ apiGroups:
	+ - 'authorization.k8s.io'
	diff --git a/cluster/charts/spaces/templates/router/clusterrole.yaml b/cluster/charts/spaces/templates/router/clusterrole.yaml
	index c0097ae5..8194bc1f 100644
	--- a/cluster/charts/spaces/templates/router/clusterrole.yaml
	+++ b/cluster/charts/spaces/templates/router/clusterrole.yaml
	@@ -9,7 +9,7 @@ rules:
	- apiGroups:
	- internal.spaces.upbound.io
	resources:
	- - hostclusters
	+ - xhostclusters
	verbs:
	- get
	- list
	diff --git a/cmd/gateway/main.go b/cmd/gateway/main.go
	index e5c646c7..cfc6acff 100644
	--- a/cmd/gateway/main.go
	+++ b/cmd/gateway/main.go
	@@ -19,7 +19,6 @@ import (
	"golang.org/x/sync/errgroup"

	"k8s.io/client-go/rest"
	- "k8s.io/client-go/transport"
	ctrl "sigs.k8s.io/controller-runtime"
	"sigs.k8s.io/controller-runtime/pkg/client/config"
	"sigs.k8s.io/controller-runtime/pkg/log/zap"
	@@ -164,29 +163,19 @@ func (c *Command) runGateway(ctx context.Context, log logging.Logger) error {
	}

	func roundTripperForRestConfig(config *rest.Config) (http.RoundTripper, error) {
	+ cpy := *config
	+
	// NOTE(epk): these values match the burst and QPS values in kubectl.
	// xref: https://github.com/kubernetes/kubernetes/pull/105520
	- config.Burst = 300
	- config.QPS = 50
	-
	- tlsConf, err := rest.TLSConfigFor(config)
	- if err != nil {
	- return nil, err
	- }
	+ cpy.Burst = 300
	+ cpy.QPS = 50

	- tlsTransport := &http.Transport{
	- TLSClientConfig: tlsConf,
	- }
	-
	- restTransportConfig, err := config.TransportConfig()
	+ rt, err := rest.TransportFor(&cpy)
	if err != nil {
	return nil, err
	}

	- kubeRT, err := transport.HTTPWrappersForConfig(restTransportConfig, tlsTransport)
	- if err != nil {
	- return nil, err
	- }
	+ fmt.Printf("rt: %v\n", rt)

	- return kubeRT, nil
	+ return rt, nil
	}
	diff --git a/internal/server/gateway/gateway.go b/internal/server/gateway/gateway.go
	index 8510b074..bbda3cb3 100644
	--- a/internal/server/gateway/gateway.go
	+++ b/internal/server/gateway/gateway.go
	@@ -12,6 +12,7 @@ import (

	"github.com/crossplane/crossplane-runtime/pkg/errors"
	"github.com/go-chi/chi/v5"
	+
	"k8s.io/client-go/transport"

	"github.com/upbound/mxe/internal/logging"
	@@ -53,6 +54,7 @@ var (
	"Accept-Encoding",
	"Accept",
	"User-Agent",
	+ "Audit-Id",
	}
	)

	@@ -118,7 +120,6 @@ func (gw *Gateway) K8sHandler() http.HandlerFunc {
	pReq.URL.Path = chi.URLParam(r, "*") // k8s/path -> path

	proxy.ServeHTTP(w, pReq)
	-
	}
	}