feat: add out-of-cluster platform-connector deployment mode

[sulixu]

Summary

Add optional out-of-cluster Kubernetes auth for platform-connectors via --kubeconfig.

This threads the kubeconfig path through startup, connector initialization, and pipeline transformer creation so both the Kubernetes connector and MetadataAugmentor use the same explicit client config when platform-connectors runs outside the cluster (for example under systemd). When --kubeconfig is unset, existing in-cluster auth behavior remains unchanged.

Also updates docs for the new auth mode and adds unit coverage for flag parsing, kubeconfig loading, connector init, and pipeline option propagation

Type of Change

• 🐛 Bug fix
• ✨ New feature
• 💥 Breaking change
• 📚 Documentation
• 🔧 Refactoring
• 🔨 Build/CI

Component(s) Affected

• Core Services
• Documentation/CI
• Fault Management
• Health Monitors
• Janitor
• Other: ____________

Testing

• Tests pass locally
• Manual testing completed
• No breaking changes (or documented)

Checklist

• Self-review completed
• Documentation updated (if needed)
• Ready for review

Summary by CodeRabbit

• New Features

  • CLI flag to enable out-of-cluster Kubernetes authentication via an explicit kubeconfig; runtime now supports passing that kubeconfig through the pipeline and connectors.

• Documentation

  • Added Kubernetes Authentication sections and examples describing in-cluster default and out-of-cluster kubeconfig usage.

• Tests

  • Added unit tests covering flag parsing, kubeconfig loading, connector initialization, and pipeline option propagation.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9263cdd9-b9b6-4493-a2d8-6c8ff291e8b9

📥 Commits

Reviewing files that changed from the base of the PR and between 1d80810 and 42f6219.

📒 Files selected for processing (2)

• platform-connectors/pkg/kubeconfig/loader.go
• platform-connectors/pkg/kubeconfig/loader_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• platform-connectors/pkg/kubeconfig/loader.go

---

📝 Walkthrough

Walkthrough

This PR enables Platform Connectors to authenticate to Kubernetes using explicit kubeconfig files. A kubeconfig loader was added, the Kubernetes connector and metadata transformer use it, pipeline factory API accepts options carrying kubeconfig path, main CLI wires a -kubeconfig flag, and docs/tests updated.

Changes

Out-of-Cluster Kubernetes Authentication

Layer / File(s)	Summary
Kubeconfig Loading Abstraction platform-connectors/pkg/kubeconfig/loader.go, platform-connectors/pkg/kubeconfig/loader_test.go	New kubeconfig.Load(path) builds a Kubernetes *rest.Config from an explicit kubeconfig path and surfaces contextual errors when missing; tests cover explicit file, missing file error, and no-config scenario.
Kubernetes Connector with Kubeconfig Support platform-connectors/pkg/connectors/kubernetes/k8s_connector.go, platform-connectors/pkg/connectors/kubernetes/k8s_connector_init_test.go	InitializeK8sConnector gains kubeconfigPath string, calls kubeconfig.Load(kubeconfigPath) instead of assuming in-cluster config; test verifies initialization with an explicit kubeconfig.
Pipeline Options Schema and Propagation platform-connectors/pkg/pipeline/factory.go, platform-connectors/pkg/pipeline/factory_test.go	Adds exported Options{KubeconfigPath string} and updates Factory, Create, and NewFromConfigs to accept and forward options; test asserts options propagate to registered transformer factories.
Transformer Factory Integration platform-connectors/pkg/transformers/metadata/factory.go, platform-connectors/pkg/transformers/overrides/factory.go	Transformer factory signatures updated to accept pipeline.Options; metadata transformer now calls kubeconfig.Load(opts.KubeconfigPath) instead of in-cluster config. Overrides factory signature updated to accept unused pipeline.Options.
CLI Flag and Application Wiring platform-connectors/main.go, platform-connectors/main_test.go	Adds -kubeconfig CLI flag on the config struct, threads kubeconfigPath through initializeConnectors/initializeK8sConnector/initializePipeline (passed as pipeline.Options{KubeconfigPath}), logs auth mode, and includes tests for default (in-cluster) and explicit kubeconfig parsing.
User Documentation docs/configuration/platform-connectors.md, docs/platform-connectors.md	Adds "Kubernetes Authentication"/"Kubernetes Authentication Modes" sections and updates intro wording to state Platform Connectors typically run as a deployment in-cluster; documents default in-cluster ServiceAccount auth, --kubeconfig for host-managed out-of-cluster use, effect on metadata lookups, and Helm chart behavior.

Sequence Diagram(s):

sequenceDiagram
  participant CLI as CLI Flags
  participant Run as run()
  participant Init as initializeConnectors / initializePipeline
  participant K8s as InitializeK8sConnector
  participant Loader as kubeconfig.Load
  participant Pipeline as pipeline.NewFromConfigs

  CLI->>Run: provide `--kubeconfig` (or empty)
  Run->>Run: log auth mode
  Run->>Init: pass kubeconfigPath
  Init->>K8s: initializeK8sConnector(kubeconfigPath)
  K8s->>Loader: kubeconfig.Load(kubeconfigPath)
  Run->>Pipeline: NewFromConfigs(..., Options{KubeconfigPath})
  Pipeline->>Loader: kubeconfig.Load(opts.KubeconfigPath) (in transformers)

Loading

Estimated code review effort:
🎯 3 (Moderate) | ⏱️ ~25 minutes

🐰 A rabbit hops with joy, kubeconfigs in paw,
No longer bound by in-cluster's claw,
Out-of-cluster auth now flows so clean,
The finest authentication I've seen! 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 12.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: adding out-of-cluster deployment mode support via kubeconfig flag to the platform-connector, which is the primary objective of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lalitadithya]

Thank you for your PR! Can you also complete the DCO process -- https://github.com/NVIDIA/NVSentinel/pull/1359/checks?check_run_id=79362762538

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

platform-connectors/pkg/connectors/kubernetes/k8s_connector.go (1)

68-71: ⚡ Quick win

Add a doc comment for InitializeK8sConnector.

This exported function now has a public signature change but no leading comment.

Proposed fix

+// InitializeK8sConnector creates a Kubernetes connector and clientset using either
+// in-cluster credentials or an explicit kubeconfig path.
 func InitializeK8sConnector(ctx context.Context, ringbuffer *ringbuffer.RingBuffer,
 	qps float32, burst int, stopCh <-chan struct{}, cfg K8sConnectorConfig,
 	kubeconfigPath string,
 ) (*K8sConnector, kubernetes.Interface, error) {

As per coding guidelines, "Include function comments for exported Go functions".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@platform-connectors/pkg/connectors/kubernetes/k8s_connector.go` around lines
68 - 71, Add a Go doc comment for the exported InitializeK8sConnector function
describing its purpose (initializes and returns a K8sConnector and
kubernetes.Interface), summarizing key parameters (ctx, ringbuffer
*ringbuffer.RingBuffer, qps, burst, stopCh <-chan struct{}, cfg
K8sConnectorConfig, kubeconfigPath string) and the return values (
*K8sConnector, kubernetes.Interface, error); ensure the comment sits immediately
above the InitializeK8sConnector declaration and follows Go doc conventions
(starts with the function name and is a complete sentence).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@platform-connectors/pkg/connectors/kubernetes/k8s_connector.go`:
- Around line 82-85: Wrap the error returned by kubeconfig.Load(kubeconfigPath)
with connector context before returning; replace the bare return of err in the
block that calls kubeconfig.Load with a wrapped error like
fmt.Errorf("kubernetes connector: failed to load kubeconfig %s: %w",
kubeconfigPath, err) (importing fmt if necessary) so the initializer functions
(the block around kubeconfig.Load and its nil, nil, err return) convey
connector-level context.

In `@platform-connectors/pkg/pipeline/factory.go`:
- Around line 25-29: Add Go doc comments for the exported API in this file:
write concise godoc lines above the Options type, Factory type, Register
function, Create function, and NewFromConfigs function describing their purpose
and behaviour (including any important params/returns) so the exported pipeline
contract is documented; reference the types/names Options, Factory, Register,
Create, NewFromConfigs and briefly mention related types used in signatures such
as Transformer and Config to clarify their roles in the comments.

---

Nitpick comments:
In `@platform-connectors/pkg/connectors/kubernetes/k8s_connector.go`:
- Around line 68-71: Add a Go doc comment for the exported
InitializeK8sConnector function describing its purpose (initializes and returns
a K8sConnector and kubernetes.Interface), summarizing key parameters (ctx,
ringbuffer *ringbuffer.RingBuffer, qps, burst, stopCh <-chan struct{}, cfg
K8sConnectorConfig, kubeconfigPath string) and the return values (
*K8sConnector, kubernetes.Interface, error); ensure the comment sits immediately
above the InitializeK8sConnector declaration and follows Go doc conventions
(starts with the function name and is a complete sentence).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f0ed88b2-3cb7-41b4-aabd-0a1326ee9285

📥 Commits

Reviewing files that changed from the base of the PR and between e078bb3 and 0afb3ad.

📒 Files selected for processing (12)

• docs/configuration/platform-connectors.md
• docs/platform-connectors.md
• platform-connectors/main.go
• platform-connectors/main_test.go
• platform-connectors/pkg/connectors/kubernetes/k8s_connector.go
• platform-connectors/pkg/connectors/kubernetes/k8s_connector_init_test.go
• platform-connectors/pkg/kubeconfig/loader.go
• platform-connectors/pkg/kubeconfig/loader_test.go
• platform-connectors/pkg/pipeline/factory.go
• platform-connectors/pkg/pipeline/factory_test.go
• platform-connectors/pkg/transformers/metadata/factory.go
• platform-connectors/pkg/transformers/overrides/factory.go

[lalitadithya]

/ok to test 41c0e63

[github-actions]

Welcome to NVSentinel, @sulixu! Thanks for your first pull request.

Before review, please ensure:

• All commits are signed off per the DCO
• CI checks pass
• The PR description explains the reason for the change

A maintainer will review this soon.

[github-actions]

🌿 Fern Docs Preview: https://nvidia-preview-pull-request-1359.docs.buildwithfern.com/nvsentinel