kubeconfighook

package
v6.8.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 11, 2026 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Overview

Package kubeconfighook provides a centralized hook that transparently refreshes Omni kubeconfig tokens before they expire. The hook is wired into Cobra's PersistentPreRunE so that every CLI command automatically gets a fresh token when needed.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsKubeconfigStale added in v6.8.1 

func IsKubeconfigStale(kubeconfigPath, kubeconfigContext string) bool

IsKubeconfigStale performs a lightweight API server health check to detect kubeconfigs with valid (non-expired) tokens that are rejected by the server. This happens when a cluster is recreated with the same name — the old token is structurally valid but the new cluster does not accept it.

Returns true when:

  • The kubeconfig cannot be loaded or the configured context is missing (subsequent K8s operations would fail anyway, so a refresh is warranted)
  • The API server explicitly rejects the credentials (HTTP 401/403)

Returns false when:

  • The API server responds successfully (credentials are valid)
  • A non-auth error occurs (connection refused, timeout, TLS errors) — the cluster is simply unreachable, not necessarily using stale credentials

func IsTokenExpired 

func IsTokenExpired(kubeconfigPath, kubeconfigContext string) bool

IsTokenExpired checks whether the bearer token in the kubeconfig's specified context has expired (or will expire within the expiryBuffer).

When kubeconfigContext is non-empty, the token for that context is checked. When empty, the kubeconfig's CurrentContext is used.

Returns false (not expired) when the kubeconfig cannot be parsed, has no token, or the token is not a JWT — erring on the side of not refreshing unnecessarily.

func MaybeRefreshOmniKubeconfig 

func MaybeRefreshOmniKubeconfig(cmd *cobra.Command)

MaybeRefreshOmniKubeconfig checks whether the current kubeconfig's service-account token is expired or stale for Omni-managed clusters and transparently refreshes it.

This function is designed to be called from Cobra PersistentPreRunE hooks. It is a fast no-op when:

  • No KSail config is found or the provider is not Omni
  • The kubeconfig file does not exist yet (e.g., before cluster create)

For Omni clusters with an existing kubeconfig, this function first checks JWT token expiry (~1ms, local-only). If the token is still valid, a lightweight API server probe (up to staleCheckTimeout) detects credentials that are structurally valid but rejected by a recreated cluster.

Refresh is triggered when:

  • The JWT token in the kubeconfig is expired or about to expire
  • The kubeconfig credentials are rejected by the API server (e.g., after cluster recreation with the same name)

On refresh failure, a warning is logged but the error is not propagated — the command proceeds with the existing kubeconfig.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.