Skip to content

fix: refresh bearer token on each Prometheus query#150

Merged
geored merged 1 commit into
mainfrom
fix/prometheus-token-refresh
Jul 2, 2026
Merged

fix: refresh bearer token on each Prometheus query#150
geored merged 1 commit into
mainfrom
fix/prometheus-token-refresh

Conversation

@geored

@geored geored commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary

  • Fixes stale bearer token causing Prometheus queries to fail with "authentication failed" after OpenShift token expiry
  • Adds oc whoami -t as primary token source (always fresh), with kubeconfig re-read as fallback
  • Keeps in-memory config extraction as last resort for backwards compatibility

Problem

_get_k8s_bearer_token() read the token from Configuration.get_default_copy() — an in-memory snapshot from MCP server startup. OpenShift tokens expire (12-24h), so after some time all Prometheus/Thanos queries failed while other K8s API calls continued working (the K8s client handles refresh internally, but raw HTTP requests to Prometheus routes used the stale extracted token).

Test plan

  • Start Lumino MCP server, verify Prometheus queries work
  • Wait for token expiry (or manually invalidate), verify queries still work without /mcp restart
  • Verify in-cluster deployment still works (ServiceAccount token path unchanged)
  • Verify non-OpenShift environments fall back to kubeconfig re-read

🤖 Generated with Claude Code

The previous implementation read the bearer token from the in-memory
Kubernetes Configuration singleton, which was set once at server startup.
OpenShift tokens expire (typically 12-24h), causing all Prometheus queries
to fail with "authentication failed" while other K8s API calls continued
working (the K8s client handles refresh internally).

New fallback chain:
1. `oc whoami -t` — always returns a fresh token
2. Re-read kubeconfig file — covers non-oc environments
3. In-memory config — kept as last resort
4. ServiceAccount token file — in-cluster
5. Environment variables — manual override

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@geored geored merged commit 109b60e into main Jul 2, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants