fix: merge global agent CA certificates with cluster-specific ones

[cyphercodes]

Description

When system certificates are configured through the global https.agent, they were being ignored by the kubernetes-client because it provides its own dispatcher to undici. This PR merges the global agent's CA certificates with any cluster-specific CA certificates, ensuring that custom CAs configured via the global agent are respected.

Changes

• Modified createDispatcherOptions in src/config.ts to:
  • Read CA certificates from https.globalAgent.options.ca
  • Merge global CA with cluster-specific CA by concatenating them
  • Handle both Buffer and string CA formats, as well as arrays

Testing

Added two new test cases:

1. should merge global agent CA with cluster CA - verifies that when both global and cluster CAs are present, they are concatenated
2. should use global CA when no cluster CA is provided - verifies that global CA is used when no cluster CA is specified

Related Issue

Fixes #2546

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: cyphercodes / name: Rayan Salhab (8b827be)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: cyphercodes
Once this PR has been reviewed and has the lgtm label, please assign davidgamero for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Welcome @cyphercodes!

It looks like this is your first PR to kubernetes-client/javascript 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-client/javascript has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[brendandburns]

What is the behavior if tlsOptions.ca is null/undefined? Wouldn't it fall back on the global CA anyway? Why is this necessary?

[brendandburns]

What is the use case for this? If there is a CA in the kubeconfig, that should be the CA for the server, the global CAs shouldn't be necessary.

[cyphercodes]

I updated the commit message to remove the forbidden closing keyword/# mention. On the CA question: this client builds its own undici dispatcher, so it does not inherit https.globalAgent.options.ca; leaving tlsOptions.ca unset falls back to Node defaults rather than app-provided global CAs. Merging preserves kubeconfig CAs while also allowing private/system CAs loaded by an embedding app. Remaining blocker: EasyCLA still reports my CLA is not authorized, so I need to complete the EasyCLA signing link.

[cyphercodes]

I pushed a small follow-up that only applies Prettier to src/config.ts so lint passes. I verified npm run lint, npm run build, npm test, and the focused src/config_test.ts run locally.

On the CA question: this path builds an undici dispatcher, so it does not inherit https.globalAgent.options.ca; merging keeps kubeconfig CAs while also honoring private/system CAs an embedding app has loaded globally. The remaining blocker is EasyCLA still reporting my CLA authorization as missing, so I need to complete the EasyCLA signing link.