Fix: credentials file path resolution in generate-kubeconfig

[yasun1]

Summary by CodeRabbit

• New Features

  • Credentials file resolution now supports a --credentials-file flag and provider-specific environment variables for GCP, AWS, and Azure.
  • Kubeconfig generation now integrates credential-provider execution and sets up credential environment values automatically.

• Improvements

  • AWS credential lookup now prefers the standard shared credentials environment variable before falling back to the legacy variable.

[coderabbitai]

Walkthrough

This change removes explicit HOME initialization from the Makefile and reworks kubeconfig generation to resolve provider credentials (GCP, AWS, Azure) from flags or environment variables, validate them, and propagate a provider-specific creds-path and creds-env. The kubeconfig generation now constructs an execConfig object (apiVersion, command, args, env, interactiveMode) that references an external credential-provider executable; the provider is invoked via the execConfig with credentials passed through environment variables.

Sequence Diagram(s)

sequenceDiagram
  participant User as User/CLI
  participant Gen as Kubeconfig Generator
  participant FS as Filesystem (creds file)
  participant Kubeconfig as kubeconfig
  participant Exec as hyperfleet-credential-provider
  participant Cloud as Cloud Auth API

  User->>Gen: run kubeconfig command (flags/env)
  Gen->>FS: resolve creds path (flag -> env per-provider)
  Gen-->>Gen: set providerInfo.creds-path & creds-env
  Gen->>Kubeconfig: write kubeconfig with execConfig (command,args,env)
  User->>kubectl: run kubectl using kubeconfig
  kubectl->>Exec: exec credential-provider (execConfig.cmd + env)
  Exec->>FS: read creds file (from creds-env)
  Exec->>Cloud: request token using credentials
  Cloud-->>Exec: return token
  Exec-->>kubectl: return client-token
  kubectl->>KubernetesAPI: authenticate with token

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• HYPERFLEET-626 | fix: fix lint error #3: touches the same cmd/provider/kubeconfig/generate.go area; modifies related kubeconfig/flag handling and logger behavior.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes across multiple files: it fixes credentials file path resolution logic in the kubeconfig generation process with updated precedence for environment variables.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@cmd/provider/kubeconfig/generate.go`:
- Around line 162-170: The error string returned when GCP credentials are
missing (constructed with fmt.Errorf using credsPath/flags.CredentialsFile)
starts with a capital letter; update that fmt.Errorf message to begin with a
lowercase letter and do the same for the two other error returns in the same
file (the other fmt.Errorf usages flagged in the review) so all error messages
follow Go's ST1005 convention; locate the error strings constructed in
generate.go (references: credsPath, flags.CredentialsFile, and the three
fmt.Errorf calls reported) and change their leading characters to lowercase
while preserving the rest of the message content.
- Around line 209-225: The code currently reads AWS_CREDENTIALS_FILE; change the
lookup logic so credsPath is set by priority: flags.CredentialsFile, then
os.Getenv("AWS_SHARED_CREDENTIALS_FILE"), then
os.Getenv("AWS_CREDENTIALS_FILE"); update the providerInfo map entry "creds-env"
to reflect the actual env var used ("AWS_SHARED_CREDENTIALS_FILE" or
"AWS_CREDENTIALS_FILE") (keep "creds-path" as credsPath) so the kubeconfig
exports the standard AWS_SHARED_CREDENTIALS_FILE when appropriate.

[yingzhanredhat]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yingzhanredhat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [yingzhanredhat]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment