The MCP server minted a hub SA token once at startup and reused it for
the life of the process, so a long-running server 401'd silently after
the ~1h token TTL.
- utils/http: the hub round-tripper now sources the SA token via a
func() string per request (static constructors preserved), so a
renewing source keeps long-lived clients authenticated.
- kubernetes: add HubTokenRenewer — re-mints the kubeshark-cli token
before expiry (using the TokenRequest expiry, 5m margin), concurrency-safe.
- mcp proxy mode: use the renewer so the token auto-renews.
- mcp --url mode: cannot mint (no kube access) — accept an explicit
--token / KUBESHARK_HUB_TOKEN, and on 401 surface a clear 'token
expired/invalid, re-mint and restart' message instead of an opaque
API error.
console is intentionally untouched (non-functional pending the
Connect-RPC re-point); it gets renewal when that migration lands.
Provider.MintHubToken requests a short-lived token (audience kubeshark-hub)
for the kubeshark-cli ServiceAccount via the TokenRequest API. The Hub
client now prefers that token via the X-Kubeshark-Authorization custom
header (which survives the kube API-server proxy), falling back to
License-Key when minting isn't possible (--url mode, SA missing, or no
RBAC to mint). The MCP runner mints once at startup.
Pairs with hub branch cli-sa-auth. Needs the helm kubeshark-cli SA + RBAC
and the hub AUTH_CLI_SERVICE_ACCOUNTS allowlist to validate end-to-end.
Add a License-Key RoundTripper plus NewHubHTTPClient / HubAuthTransport
helpers in utils, and route the MCP runner's Hub clients (connect, --url
validate, file download, tools list) through them so the CLI keeps working
once the Hub enforces auth. License-Key is a custom header, so it survives
the kube API-server service proxy (a bearer token would not). Surface
ErrHubAuthRequired on a 401/302 from the Hub.
console already sends License-Key on its ws connection. pprof is not
covered here: it shells out to 'go tool pprof <hubUrl>' / opens a browser,
external fetches that can't carry a custom header (follow-up).
* Add `X-Kubeshark-Capture: ignore` header to all of the HTTP requests
* Add `X-Kubeshark-Capture: ignore` header to WebSocket requests
* Reduce duplication
* ✨ Use the Helm chart in `tap` command to install Kubeshark
* ⬆️ Set Go version to `1.19` in `go.mod` file
* ✨ Add `Helm` struct`, `NewHelm` and `NewHelmDefault` methods
* ⚡ Better logging and error return
* ⚡ Pass the config as `values.yaml` to Helm install
* 🔥 Remove `helm-chart`, `manifests` and `check` commands
* ➖ Run `go mod tidy`
* 🎨 Move `helm` package into `kubernetes` package
* 🔥 Remove `# THIS FILE IS AUTOMATICALLY GENERATED BY KUBESHARK CLI. DO NOT EDIT!` notice from the manifests and Helm templates
* 🔥 Remove the unused `GenerateApplyConfiguration` and `buildWithDefaultLabels` methods
* Use `github.com/rs/zerolog` for logging
* Use `github.com/rs/zerolog` for logging (continue)
* Add `debug` flag
* Remove `github.com/op/go-logging` dependency completely
* Fix linter
* Remove `logger` module
* Remove `shared` module
* Move `cli` folder contents into project root
* Fix linter
* Change the module name from `github.com/kubeshark/kubeshark/cli` to `github.com/kubeshark/kubeshark`
* Set the default `Makefile` rule to `build`
* Add `lint` rule
* Fix the linter errors