frontend,backend: Add exec credential plugin auth support

Add support for exec-based credential plugins (Teleport tsh,
aws-iam-authenticator) and client certificate authentication.

Backend changes:
- kubeconfig: Detect auth type from exec config
- kubeconfig: Return "tsh" for Teleport, "exec" for others

Frontend changes:
- clusterApi: Use /version endpoint for exec/cert auth
- clusterApi: Add backward-compatible options parameter
- RouteSwitcher: Show auth-type specific error messages
- RouteSwitcher: Wait for clusters to load before auth check

Author: rushrs

backend/pkg/kubeconfig/kubeconfig.go

@@ -8,6 +8,7 @@ import (
 	"net/http/httputil"
 	"net/url"
 	"os"
+	"path/filepath"
 	"runtime"
 	"strings"
 
@@ -441,11 +442,39 @@ func (c *Context) SetupProxy() error {
 }
 
 // AuthType returns the authentication type for the context.
+// Returns "oidc" for OIDC authentication, "tsh" for Teleport exec plugin,
+// "exec" for other exec credential plugins, "client-cert" for client certificate auth,
+// or empty string for other auth types (token, basic auth, etc.).
+//
+// Priority order (first match wins):
+//  1. OIDC (AuthProvider configured)
+//  2. Exec plugin (tsh is detected specifically, otherwise generic "exec")
+//  3. Client certificate
+//
+// This priority is intentional: exec plugins are dynamic auth mechanisms that
+// require backend execution, while client certificates are static TLS credentials.
+// When both are present, exec typically represents the primary authentication method.
 func (c *Context) AuthType() string {
 	if (c.OidcConf != nil) || (c.AuthInfo != nil && c.AuthInfo.AuthProvider != nil) {
 		return "oidc"
 	}
 
+	// Check for exec credential plugin (e.g., Teleport tsh, aws-iam-authenticator)
+	if c.AuthInfo != nil && c.AuthInfo.Exec != nil {
+		// Check if it's Teleport's tsh command by checking the basename
+		// Using filepath.Base to avoid false positives like "/usr/bin/mytshell"
+		if filepath.Base(c.AuthInfo.Exec.Command) == "tsh" {
+			return "tsh"
+		}
+
+		return "exec"
+	}
+
+	// Check for client certificate authentication
+	if c.AuthInfo != nil && (c.AuthInfo.ClientCertificate != "" || len(c.AuthInfo.ClientCertificateData) > 0) {
+		return "client-cert"
+	}
+
 	return ""
 }
 

frontend/src/components/App/RouteSwitcher.tsx

@@ -143,6 +143,7 @@ interface AuthRouteProps {
   requiresAuth: boolean;
   requiresCluster: boolean;
   requiresToken: () => boolean;
+  clusters: ReturnType<typeof useClustersConf>;
   [otherProps: string]: any;
 }
 
@@ -153,15 +154,24 @@ function AuthRoute(props: AuthRouteProps) {
     requiresAuth = true,
     requiresCluster = true,
     computedMatch = {},
+    clusters,
     ...other
   } = props;
   const redirectRoute = getCluster() ? 'login' : 'chooser';
   useSidebarItem(sidebar, computedMatch);
   const cluster = useCluster();
+
+  // Get the cluster's auth type - for tsh/exec/client-cert, the backend handles auth
+  const clusterConfig = cluster && clusters ? clusters[cluster] : null;
+  const authType = clusterConfig?.auth_type || '';
+  const isExecOrCertAuth = authType === 'tsh' || authType === 'exec' || authType === 'client-cert';
+
   const query = useQuery({
-    queryKey: ['auth', cluster],
-    queryFn: () => testAuth(cluster!),
-    enabled: !!cluster && requiresAuth,
+    queryKey: ['auth', cluster, authType],
+    queryFn: () => testAuth(cluster!, { authType }),
+    // Run auth test for all auth types including exec/client-cert
+    // Wait for clusters to be loaded to ensure we have the correct authType
+    enabled: !!cluster && requiresAuth && !!clusters,
     retry: 0,
   });
 
@@ -182,6 +192,30 @@ function AuthRoute(props: AuthRouteProps) {
     }
 
     if (query.isError) {
+      // For tsh/exec/client-cert auth, show a helpful error message
+      if (isExecOrCertAuth) {
+        let errorMessage: string;
+        if (authType === 'tsh') {
+          errorMessage =
+            'Teleport authentication failed. Please run `tsh login` to refresh your credentials, then reload this page in your browser.';
+        } else if (authType === 'exec') {
+          errorMessage =
+            'Exec credential plugin authentication failed. Please refresh your credentials and try again.';
+        } else {
+          errorMessage =
+            'Client certificate authentication failed. Please check your certificates.';
+        }
+        return (
+          <ErrorComponent
+            error={{
+              name: 'AuthenticationError',
+              message: errorMessage,
+              stack: query.error instanceof Error ? query.error.message : String(query.error),
+            }}
+          />
+        );
+      }
+
       return (
         <Redirect
           to={{

frontend/src/components/authchooser/index.tsx

@@ -105,7 +105,15 @@ function AuthChooser({ children }: AuthChooserProps) {
       //   cluster, then we check here.
       // With clusterAuthType == oidc,
       //   they are presented with a choice of login or enter token.
-      if (clusterAuthType !== 'oidc' && cluster.useToken === undefined) {
+      // With clusterAuthType == exec, client-cert, or tsh,
+      //   RouteSwitcher handles auth - don't run testAuth here to avoid conflicts.
+      if (
+        clusterAuthType !== 'oidc' &&
+        clusterAuthType !== 'exec' &&
+        clusterAuthType !== 'client-cert' &&
+        clusterAuthType !== 'tsh' &&
+        cluster.useToken === undefined
+      ) {
         let useToken = true;
 
         setTestingAuth(true);

frontend/src/lib/k8s/api/v1/clusterApi.ts

@@ -27,18 +27,56 @@ import type { ClusterRequest } from './clusterRequests';
 import { clusterRequest, post, request } from './clusterRequests';
 import { JSON_HEADERS } from './constants';
 
+/**
+ * Options for testAuth function
+ */
+interface TestAuthOptions {
+  /** Namespace to use for authorization check (default: 'default') */
+  namespace?: string;
+  /** Auth type ('exec', 'client-cert', 'oidc', 'tsh', etc.) */
+  authType?: string;
+}
+
 /**
  * Test authentication for the given cluster.
- * Will throw an error if the user is not authenticated.
+ * Will throw an error if the user is not authenticated (401).
+ * Returns success for 403 since that means auth succeeded but user lacks permissions.
+ * @param cluster - The cluster to test auth for
+ * @param options - Can be a string (legacy: treated as namespace) or TestAuthOptions object
  */
-export async function testAuth(cluster = '', namespace = 'default') {
-  const spec = { namespace };
+export async function testAuth(cluster = '', options?: string | TestAuthOptions) {
   const clusterName = cluster || getCluster();
 
-  return post('/apis/authorization.k8s.io/v1/selfsubjectrulesreviews', { spec }, false, {
-    timeout: 5 * 1000,
-    cluster: clusterName,
-  });
+  // Backward compatibility: if options is a string, treat it as namespace (legacy behavior)
+  const resolvedOptions: TestAuthOptions =
+    typeof options === 'string' ? { namespace: options } : options ?? {};
+
+  const { namespace = 'default', authType } = resolvedOptions;
+
+  try {
+    // For tsh/exec auth (e.g., Teleport), use the cluster version endpoint
+    // which is accessible to any authenticated user without RBAC restrictions
+    if (authType === 'tsh' || authType === 'exec' || authType === 'client-cert') {
+      return clusterRequest('/version', {
+        timeout: 5 * 1000, // Longer timeout for exec auth plugins like tsh
+        cluster: clusterName,
+      });
+    }
+
+    // For standard auth types (token, oidc), use selfsubjectrulesreviews
+    const spec = { namespace };
+    return post('/apis/authorization.k8s.io/v1/selfsubjectrulesreviews', { spec }, false, {
+      timeout: 5 * 1000,
+      cluster: clusterName,
+    });
+  } catch (err: any) {
+    // 403 (Forbidden) means authentication worked, but user lacks permissions.
+    if (err.status === 403) {
+      return { authenticated: true, status: err.status };
+    }
+    // Re-throw 401 and other errors - those are real auth failures
+    throw err;
+  }
 }
 
 /**