feat: add static token authentication support to kubeconfig()

- Add token field to KubeconfgCluster struct for bearer token auth
- Update kubeconfig template to support both token and exec-based auth
- Exec-based auth takes priority when both are provided
- Add comprehensive tests for token and exec authentication
- Add TypeScript definitions for token field
- Add example stack files demonstrating usage
- Add Kubernetes integration guide to website docs
- Update DSL quick reference with kubeconfig examples

Useful for CI/CD pipelines, service accounts, and environments
without cloud CLI tools installed.

Author: speier

CHANGELOG.md

@@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.1] - 2025-10-29
+
+### Added
+- **`kubeconfig()` now supports static token authentication** - Added `token` field for bearer token auth
+  - Use `token: "your-token"` instead of `exec_command` for simplified authentication
+  - Mutually exclusive with exec-based authentication (exec_command takes priority if both provided)
+  - Useful for CI/CD pipelines, service accounts, and environments without cloud CLI tools
+  - Example: `kubeconfig({ clusters: [{ context: "ctx", host: "...", cert: "...", token: "..." }] })`
+
 ## [0.7.0] - 2025-10-29
 
 ### Fixed
@@ -204,7 +213,8 @@ bootstrap:
 - Support for Terraform and OpenTofu
 - CLI commands: plan, apply, destroy, list, output, clean
 
-[Unreleased]: https://github.com/moonwalker/comet/compare/v0.7.0...HEAD
+[Unreleased]: https://github.com/moonwalker/comet/compare/v0.7.1...HEAD
+[0.7.1]: https://github.com/moonwalker/comet/compare/v0.7.0...v0.7.1
 [0.7.0]: https://github.com/moonwalker/comet/releases/tag/v0.7.0
 [0.6.8]: https://github.com/moonwalker/comet/releases/tag/v0.6.8
 [0.6.7]: https://github.com/moonwalker/comet/releases/tag/v0.6.7

docs/dsl-quick-reference.md

@@ -42,6 +42,47 @@ secrets('sops://other-file.yaml#/special/secret')
 secrets('op://vault/item/field')
 ```
 
+## Kubernetes Config
+
+Configure kubectl access for your clusters:
+
+```javascript
+// Token-based authentication (simple, for CI/CD)
+kubeconfig({
+  current: 0,
+  clusters: [{
+    context: 'my-cluster',
+    host: 'https://kubernetes.example.com',
+    cert: 'LS0tLS1CRUdJTi...',  // Base64-encoded CA cert
+    token: 'dop_v1_...'          // Static bearer token
+  }]
+})
+
+// Exec-based authentication (more secure, uses cloud CLI)
+kubeconfig({
+  current: 0,
+  clusters: [{
+    context: 'my-cluster',
+    host: 'https://kubernetes.example.com',
+    cert: 'LS0tLS1CRUdJTi...',
+    exec_command: 'doctl',
+    exec_args: ['kubernetes', 'cluster', 'kubeconfig', 'exec-credential']
+  }]
+})
+
+// Use with secrets (recommended)
+const cluster = secret('k8s/cluster')
+kubeconfig({
+  current: 0,
+  clusters: [{
+    context: cluster.context,
+    host: cluster.host,
+    cert: cluster.cert,
+    token: cluster.token
+  }]
+})
+```
+
 ## Userland Patterns
 
 Create your own helpers for your team's patterns:

internal/schema/kubeconfig.go

@@ -25,6 +25,7 @@ type (
 		Context        string      `json:"context"`
 		Host           string      `json:"host"`
 		Cert           string      `json:"cert"`
+		Token          string      `json:"token"` // Static token authentication
 		ExecApiVersion string      `json:"exec_apiversion"`
 		ExecCommand    string      `json:"exec_command"`
 		ExecArgs       interface{} `json:"exec_args"` // Can be []string or string (template)
@@ -208,6 +209,7 @@ users:
 {{- range .Clusters }}
   - name: {{ .Context }}
     user:
+{{- if .ExecCommand }}
       exec:
         apiVersion: {{ .ExecApiVersion }}
         command: {{ .ExecCommand }}
@@ -217,4 +219,7 @@ users:
         - {{ . }}
         {{-  end }}
         {{- end }}
+{{- else if .Token }}
+      token: {{ .Token }}
+{{- end }}
 {{- end }}`

internal/schema/kubeconfig_test.go

@@ -0,0 +1,183 @@
+package schema
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+	"text/template"
+)
+
+func TestKubeconfigTemplate(t *testing.T) {
+	tests := []struct {
+		name     string
+		config   *Kubeconfig
+		wantAuth string // Expected auth section in output
+	}{
+		{
+			name: "token authentication",
+			config: &Kubeconfig{
+				Current: 0,
+				Clusters: []*KubeconfgCluster{
+					{
+						Context:        "test-cluster",
+						Host:           "https://kubernetes.example.com",
+						Cert:           "LS0tLS1CRUdJTi1DRVJUSUZJQ0FURS0tLS0t",
+						Token:          "test-token-12345",
+						ExecApiVersion: "client.authentication.k8s.io/v1beta1",
+					},
+				},
+			},
+			wantAuth: "token: test-token-12345",
+		},
+		{
+			name: "exec authentication",
+			config: &Kubeconfig{
+				Current: 0,
+				Clusters: []*KubeconfgCluster{
+					{
+						Context:        "test-cluster",
+						Host:           "https://kubernetes.example.com",
+						Cert:           "LS0tLS1CRUdJTi1DRVJUSUZJQ0FURS0tLS0t",
+						ExecCommand:    "kubectl",
+						ExecArgs:       []string{"get-token"},
+						ExecApiVersion: "client.authentication.k8s.io/v1beta1",
+					},
+				},
+			},
+			wantAuth: "command: kubectl",
+		},
+		{
+			name: "exec takes priority over token",
+			config: &Kubeconfig{
+				Current: 0,
+				Clusters: []*KubeconfgCluster{
+					{
+						Context:        "test-cluster",
+						Host:           "https://kubernetes.example.com",
+						Cert:           "LS0tLS1CRUdJTi1DRVJUSUZJQ0FURS0tLS0t",
+						Token:          "test-token-12345",
+						ExecCommand:    "kubectl",
+						ExecArgs:       []string{"get-token"},
+						ExecApiVersion: "client.authentication.k8s.io/v1beta1",
+					},
+				},
+			},
+			wantAuth: "command: kubectl",
+		},
+		{
+			name: "no authentication",
+			config: &Kubeconfig{
+				Current: 0,
+				Clusters: []*KubeconfgCluster{
+					{
+						Context:        "test-cluster",
+						Host:           "https://kubernetes.example.com",
+						Cert:           "LS0tLS1CRUdJTi1DRVJUSUZJQ0FURS0tLS0t",
+						ExecApiVersion: "client.authentication.k8s.io/v1beta1",
+					},
+				},
+			},
+			wantAuth: "", // No auth expected
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Normalize exec args
+			for _, c := range tt.config.Clusters {
+				c.ExecArgs = normalizeExecArgs(c.ExecArgs)
+			}
+
+			// Render template
+			tmpl, err := template.New("k").Parse(kubeconfigTemplate)
+			if err != nil {
+				t.Fatalf("template.Parse() error = %v", err)
+			}
+
+			var buf bytes.Buffer
+			err = tmpl.Execute(&buf, tt.config)
+			if err != nil {
+				t.Fatalf("template.Execute() error = %v", err)
+			}
+
+			output := buf.String()
+
+			// Check for expected auth if specified
+			if tt.wantAuth != "" {
+				if !strings.Contains(output, tt.wantAuth) {
+					t.Errorf("output missing expected auth: %q\nGot:\n%s", tt.wantAuth, output)
+				}
+			}
+
+			// Ensure valid YAML structure
+			if !strings.Contains(output, "apiVersion: v1") {
+				t.Errorf("output missing apiVersion")
+			}
+			if !strings.Contains(output, "kind: Config") {
+				t.Errorf("output missing kind")
+			}
+			if !strings.Contains(output, "current-context: test-cluster") {
+				t.Errorf("output missing current-context")
+			}
+		})
+	}
+}
+
+func TestNormalizeExecArgs(t *testing.T) {
+	tests := []struct {
+		name string
+		args interface{}
+		want []string
+	}{
+		{
+			name: "nil args",
+			args: nil,
+			want: nil,
+		},
+		{
+			name: "string slice",
+			args: []string{"arg1", "arg2"},
+			want: []string{"arg1", "arg2"},
+		},
+		{
+			name: "interface slice",
+			args: []interface{}{"arg1", "arg2", 123},
+			want: []string{"arg1", "arg2", "123"},
+		},
+		{
+			name: "JSON array string",
+			args: `["arg1", "arg2"]`,
+			want: []string{"arg1", "arg2"},
+		},
+		{
+			name: "Go slice string",
+			args: "[arg1 arg2 arg3]",
+			want: []string{"arg1", "arg2", "arg3"},
+		},
+		{
+			name: "single string",
+			args: "single-arg",
+			want: []string{"single-arg"},
+		},
+		{
+			name: "empty string",
+			args: "",
+			want: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := normalizeExecArgs(tt.args)
+			if len(got) != len(tt.want) {
+				t.Errorf("normalizeExecArgs() = %v, want %v", got, tt.want)
+				return
+			}
+			for i := range got {
+				if got[i] != tt.want[i] {
+					t.Errorf("normalizeExecArgs()[%d] = %v, want %v", i, got[i], tt.want[i])
+				}
+			}
+		})
+	}
+}

internal/types/index.d.ts

@@ -103,7 +103,9 @@ export interface KubeconfigCluster {
   host: string;
   /** Base64-encoded cluster CA certificate */
   cert: string;
-  /** Exec plugin command */
+  /** Static bearer token for authentication (mutually exclusive with exec_command) */
+  token?: string;
+  /** Exec plugin command (mutually exclusive with token) */
   exec_command?: string;
   /** Exec plugin arguments */
   exec_args?: string[];

stacks/_examples/kubeconfig-token-auth.stack.js

@@ -0,0 +1,72 @@
+// Example: Using static token authentication in kubeconfig()
+//
+// This demonstrates how to use token-based authentication instead of
+// exec-based credential providers. Useful for CI/CD pipelines and
+// simplified environments.
+
+stack({
+  name: 'token-auth-example',
+  backend: 'local'
+})
+
+// Example 1: Token-based authentication
+kubeconfig({
+  current: 0,
+  clusters: [
+    {
+      context: 'my-cluster-token',
+      host: 'https://kubernetes.example.com',
+      cert: 'LS0tLS1CRUdJTi...', // Base64-encoded CA cert
+      token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ij...' // Static bearer token
+    }
+  ]
+})
+
+// Example 2: Exec-based authentication (existing behavior)
+kubeconfig({
+  current: 0,
+  clusters: [
+    {
+      context: 'my-cluster-exec',
+      host: 'https://kubernetes.example.com',
+      cert: 'LS0tLS1CRUdJTi...',
+      exec_command: 'doctl',
+      exec_args: ['kubernetes', 'cluster', 'kubeconfig', 'exec-credential', '--version=v1beta1', 'my-cluster']
+    }
+  ]
+})
+
+// Example 3: Using with secrets (recommended for tokens)
+// const cluster = secret('op://vault/k8s-cluster/config')
+//
+// kubeconfig({
+//   current: 0,
+//   clusters: [
+//     {
+//       context: cluster.context,
+//       host: cluster.host,
+//       cert: cluster.cert,
+//       token: cluster.token  // Token from secrets provider
+//     }
+//   ]
+// })
+
+// Example 4: Multiple clusters with mixed authentication
+kubeconfig({
+  current: 0,
+  clusters: [
+    {
+      context: 'prod-cluster',
+      host: 'https://prod.k8s.example.com',
+      cert: 'LS0tLS1CRUdJTi...',
+      exec_command: 'gcloud',
+      exec_args: ['container', 'clusters', 'get-credentials', 'prod-cluster']
+    },
+    {
+      context: 'ci-cluster',
+      host: 'https://ci.k8s.example.com',
+      cert: 'LS0tLS1CRUdJTi...',
+      token: 'service-account-token-here' // Static token for CI
+    }
+  ]
+})

stacks/_examples/test-token-auth.stack.js

@@ -0,0 +1,18 @@
+// Test stack for token authentication feature
+stack({
+  name: 'test-token-auth',
+  backend: 'local'
+})
+
+// Using token authentication
+kubeconfig({
+  current: 0,
+  clusters: [
+    {
+      context: 'test-cluster',
+      host: 'https://kubernetes.example.com',
+      cert: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlRENDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTXpBME16azRPRFF3SGhjTk1qUXhNREkwTVRrd056STBXaGNOTXpReE1ESXlNVGt3TnpJMApXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTXpBME16azRPRFF3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFSMWlLK05qV0h1YzY1WVZXK3pjNVhOcmcrMGRiQWNwZDVBekE3cW9aNXoKdVdqNVlTOWFaOVdMSlg3dHh5ME5kZUlOQmFtZ3hHQWNxWGFLUWJmbmlvMEl3UURBT0JnTlZIUThCQWY4RUJBTUNBY0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVeG92OFJCUXJwYjRvK1hOYlRaNm9vCnN3RDdnVVF3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQU9NMkFrdkpPa2lqQytGdTRnVWVBT1pUeTBxdTdOcnYKY0lFRXRVTmpWQW5wQWlFQTE1ZEoxY3k4SlUwSUlSOUdDT2RqK0ZUVTJyVUhEYlhab0I0MXBOZitTVjg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K',
+      token: 'dop_v1_1234567890abcdef1234567890abcdef1234567890abcdef1234567890ab'
+    }
+  ]
+})