mirror of
https://github.com/kubeshark/kubeshark.git
synced 2026-07-09 08:29:59 +00:00
The MCP server minted a hub SA token once at startup and reused it for the life of the process, so a long-running server 401'd silently after the ~1h token TTL. - utils/http: the hub round-tripper now sources the SA token via a func() string per request (static constructors preserved), so a renewing source keeps long-lived clients authenticated. - kubernetes: add HubTokenRenewer — re-mints the kubeshark-cli token before expiry (using the TokenRequest expiry, 5m margin), concurrency-safe. - mcp proxy mode: use the renewer so the token auto-renews. - mcp --url mode: cannot mint (no kube access) — accept an explicit --token / KUBESHARK_HUB_TOKEN, and on 401 surface a clear 'token expired/invalid, re-mint and restart' message instead of an opaque API error. console is intentionally untouched (non-functional pending the Connect-RPC re-point); it gets renewal when that migration lands.