Commit Graph

10 Commits

Author SHA1 Message Date
Volodymyr Stoiko
28079745c7 Merge branch 'master' into gated-auth
Conflicts were in the helm chart's auth config, where master's permissions
refactor (fcceed23) reordered the AUTH_* config-map keys and replaced the
inline tap.auth.roles tree with roles/rolesClaim/defaultRole/groupMapping —
directly alongside gated-auth's new CLI ServiceAccount-token auth. Neither
side removed the other's work, so both are kept.

Also promote tap.auth.cli to a real config field. It had been hand-written
into helm-chart/values.yaml, which is generated by `make generate-helm-values`
(bin/kubeshark__ config > helm-chart/values.yaml). The next regeneration would
have silently dropped the key, leaving 22-cli-auth.yaml unable to render the
ServiceAccount. Add CliAuthConfig/CliAuthSubject to AuthConfig and regenerate
values.yaml from source, so the block now round-trips.

Subject fields carry omitempty so User/Group entries don't emit an empty
namespace and ServiceAccount entries don't emit an empty apiGroup, keeping
the rendered RoleBinding idiomatic.

values.yaml is generated and cannot hold comments, so the tap.auth.cli docs
live in helm-chart/README.md alongside the other tap.auth.* rows. Drop the
internal plan phase labels from the CLI and utils comments; phases exist only
in local planning docs.
2026-07-14 18:49:34 +00:00
Volodymyr Stoiko
db6f7de8c7 cli/mcp: address Copilot review (token fallback, SSO redirects, messages)
- hubtoken: HubTokenRenewer.Token() no longer hands out an already-expired
  token on mint failure — returns "" so the round-tripper falls back to the
  License-Key instead of looping on 401s.
- utils/http: hub clients no longer follow SSO redirects (StopOnSSORedirect
  CheckRedirect on 302/303), and IsAuthRequired covers 302+303, so auth
  detection is reliable instead of silently following to an HTML login page.
- mcpRunner: fetchHubMCP/callHubTool/fetchAndDisplayTools/callDownloadFile
  use utils.IsAuthRequired (401 + unfollowed redirect) instead of bare 401;
  download path checks it before writing the body to disk; URL-mode auth
  message now also mentions the License-Key fallback.
2026-06-16 20:55:22 +00:00
Volodymyr Stoiko
04d7b04c19 cli/mcp: auto-renew hub token in proxy mode; explicit token + clear expiry in --url mode
The MCP server minted a hub SA token once at startup and reused it for
the life of the process, so a long-running server 401'd silently after
the ~1h token TTL.

- utils/http: the hub round-tripper now sources the SA token via a
  func() string per request (static constructors preserved), so a
  renewing source keeps long-lived clients authenticated.
- kubernetes: add HubTokenRenewer — re-mints the kubeshark-cli token
  before expiry (using the TokenRequest expiry, 5m margin), concurrency-safe.
- mcp proxy mode: use the renewer so the token auto-renews.
- mcp --url mode: cannot mint (no kube access) — accept an explicit
  --token / KUBESHARK_HUB_TOKEN, and on 401 surface a clear 'token
  expired/invalid, re-mint and restart' message instead of an opaque
  API error.

console is intentionally untouched (non-functional pending the
Connect-RPC re-point); it gets renewal when that migration lands.
2026-06-16 19:08:03 +00:00
Volodymyr Stoiko
7c67abc3fd cli: mint a ServiceAccount token for gated Hub auth (phase 2a)
Provider.MintHubToken requests a short-lived token (audience kubeshark-hub)
for the kubeshark-cli ServiceAccount via the TokenRequest API. The Hub
client now prefers that token via the X-Kubeshark-Authorization custom
header (which survives the kube API-server proxy), falling back to
License-Key when minting isn't possible (--url mode, SA missing, or no
RBAC to mint). The MCP runner mints once at startup.

Pairs with hub branch cli-sa-auth. Needs the helm kubeshark-cli SA + RBAC
and the hub AUTH_CLI_SERVICE_ACCOUNTS allowlist to validate end-to-end.
2026-06-15 21:47:07 +00:00
Volodymyr Stoiko
6ba67ef3f5 cli: authenticate Hub HTTP requests with License-Key (gated-auth phase 1)
Add a License-Key RoundTripper plus NewHubHTTPClient / HubAuthTransport
helpers in utils, and route the MCP runner's Hub clients (connect, --url
validate, file download, tools list) through them so the CLI keeps working
once the Hub enforces auth. License-Key is a custom header, so it survives
the kube API-server service proxy (a bearer token would not). Surface
ErrHubAuthRequired on a 401/302 from the Hub.

console already sends License-Key on its ws connection. pprof is not
covered here: it shells out to 'go tool pprof <hubUrl>' / opens a browser,
external fetches that can't carry a custom header (follow-up).
2026-06-15 20:59:27 +00:00
M. Mert Yildiran
e0dec54c6a Fix method name 2024-08-19 21:14:31 +03:00
M. Mert Yildiran
ba126dff51 Add X-Kubeshark-Capture: ignore header to all of the HTTP requests (#1579)
* Add `X-Kubeshark-Capture: ignore` header to all of the HTTP requests

* Add `X-Kubeshark-Capture: ignore` header to WebSocket requests

* Reduce duplication
2024-08-10 15:35:54 -07:00
M. Mert Yildiran
646da4810d Allow license key holders to bypass the auth 2023-06-19 01:44:01 +03:00
M. Mert Yildiran
671aa783c5 🔨 Replace ApiServer naming with Hub 2022-11-26 22:06:06 +03:00
M. Mert Yildiran
fa5a87b9d5 💄 Give better names to the files in utils package 2022-11-26 21:34:45 +03:00