Commit Graph

8 Commits

Author SHA1 Message Date
Volodymyr Stoiko
04d7b04c19 cli/mcp: auto-renew hub token in proxy mode; explicit token + clear expiry in --url mode
The MCP server minted a hub SA token once at startup and reused it for
the life of the process, so a long-running server 401'd silently after
the ~1h token TTL.

- utils/http: the hub round-tripper now sources the SA token via a
  func() string per request (static constructors preserved), so a
  renewing source keeps long-lived clients authenticated.
- kubernetes: add HubTokenRenewer — re-mints the kubeshark-cli token
  before expiry (using the TokenRequest expiry, 5m margin), concurrency-safe.
- mcp proxy mode: use the renewer so the token auto-renews.
- mcp --url mode: cannot mint (no kube access) — accept an explicit
  --token / KUBESHARK_HUB_TOKEN, and on 401 surface a clear 'token
  expired/invalid, re-mint and restart' message instead of an opaque
  API error.

console is intentionally untouched (non-functional pending the
Connect-RPC re-point); it gets renewal when that migration lands.
2026-06-16 19:08:03 +00:00
Volodymyr Stoiko
7c67abc3fd cli: mint a ServiceAccount token for gated Hub auth (phase 2a)
Provider.MintHubToken requests a short-lived token (audience kubeshark-hub)
for the kubeshark-cli ServiceAccount via the TokenRequest API. The Hub
client now prefers that token via the X-Kubeshark-Authorization custom
header (which survives the kube API-server proxy), falling back to
License-Key when minting isn't possible (--url mode, SA missing, or no
RBAC to mint). The MCP runner mints once at startup.

Pairs with hub branch cli-sa-auth. Needs the helm kubeshark-cli SA + RBAC
and the hub AUTH_CLI_SERVICE_ACCOUNTS allowlist to validate end-to-end.
2026-06-15 21:47:07 +00:00
Volodymyr Stoiko
6ba67ef3f5 cli: authenticate Hub HTTP requests with License-Key (gated-auth phase 1)
Add a License-Key RoundTripper plus NewHubHTTPClient / HubAuthTransport
helpers in utils, and route the MCP runner's Hub clients (connect, --url
validate, file download, tools list) through them so the CLI keeps working
once the Hub enforces auth. License-Key is a custom header, so it survives
the kube API-server service proxy (a bearer token would not). Surface
ErrHubAuthRequired on a 401/302 from the Hub.

console already sends License-Key on its ws connection. pprof is not
covered here: it shells out to 'go tool pprof <hubUrl>' / opens a browser,
external fetches that can't carry a custom header (follow-up).
2026-06-15 20:59:27 +00:00
M. Mert Yildiran
e0dec54c6a Fix method name 2024-08-19 21:14:31 +03:00
M. Mert Yildiran
ba126dff51 Add X-Kubeshark-Capture: ignore header to all of the HTTP requests (#1579)
* Add `X-Kubeshark-Capture: ignore` header to all of the HTTP requests

* Add `X-Kubeshark-Capture: ignore` header to WebSocket requests

* Reduce duplication
2024-08-10 15:35:54 -07:00
M. Mert Yildiran
646da4810d Allow license key holders to bypass the auth 2023-06-19 01:44:01 +03:00
M. Mert Yildiran
671aa783c5 🔨 Replace ApiServer naming with Hub 2022-11-26 22:06:06 +03:00
M. Mert Yildiran
fa5a87b9d5 💄 Give better names to the files in utils package 2022-11-26 21:34:45 +03:00