Skip to content

Add Support for keychain#64

Merged
thojkooi merged 11 commits into
mainfrom
support-keychain
Jul 5, 2026
Merged

Add Support for keychain#64
thojkooi merged 11 commits into
mainfrom
support-keychain

Conversation

@thojkooi

@thojkooi thojkooi commented Jul 4, 2026

Copy link
Copy Markdown
Member

Add Support for keychain

thojkooi added 5 commits July 5, 2026 01:53
Introduce Write, CheckPermissions, and EnsurePermissions so config
files can be written and validated at 0600 without duplicating logic.
Store tokens and OIDC secrets via go-keyring under "Thalassa Cloud CLI",
with auto/file/keychain selection through THALASSA_CREDENTIAL_STORE.
Move secrets out of ~/.tcloud when keychain is available, migrate
plaintext credentials on load, and redact secrets from SanitizedConfig.
Warn on load when ~/.tcloud is world-readable and let users run
`tcloud context fix` to restrict access to 0600.
Use SanitizedConfig so `tcloud context view` never prints tokens or
client secrets, including when they are loaded from keychain.
@thojkooi thojkooi self-assigned this Jul 4, 2026
thojkooi added 4 commits July 5, 2026 02:11
Implement the client.authentication.k8s.io ExecCredential JSON writer
used by the kubernetes credential exec plugin.
Add shared kubeconfig templates so cluster session tokens can be
provided via a kubectl exec plugin instead of being written to disk.
Let exec credential calls pin organisation and project so kubeconfig
access keeps working after the active tcloud context changes.
Register `tcloud kubernetes credential` for kubectl, embed organisation
and project in exec args, and add --inline-token for the legacy flow.
@thojkooi thojkooi merged commit b61b328 into main Jul 5, 2026
3 checks passed
@thojkooi thojkooi deleted the support-keychain branch July 5, 2026 00:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant