Refactor project layout

cmd/credential.go

@@ -0,0 +1,68 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+func newCredentialCmd() *cobra.Command {
+	var (
+		server     string
+		noKerberos bool
+		noCache    bool
+		debugFlag  bool
+	)
+
+	cmd := &cobra.Command{
+		Use:   "credential",
+		Short: "kubectl exec credential plugin — serve a cached ExecCredential to kubectl",
+		Long: `Acts as a kubectl exec credential plugin. Returns a cached ExecCredential
+JSON to kubectl. On a cache miss, silently attempts Kerberos SPNEGO; if that
+also fails, exits with an error directing the user to run 'ward login'.
+
+Run 'ward login' once to authenticate and populate the cache. After that,
+kubectl works silently until the credential expires.
+
+Debug output goes to stderr (kubectl surfaces this to the terminal):
+
+  WARD_DEBUG=1 kubectl get nodes`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if server == "" {
+				return fmt.Errorf("--server is required")
+			}
+
+			server = normalizeServer(server)
+
+			logf := func(format string, a ...any) {
+				if debugFlag {
+					fmt.Fprintf(os.Stderr, "[ward] "+format+"\n", a...)
+				}
+			}
+
+			if !noCache {
+				if ec, ok := credReadCache(server, logf); ok {
+					return credPrint(ec)
+				}
+			}
+
+			ec, err := credFetch(server, noKerberos, logf)
+			if err != nil {
+				return err
+			}
+
+			if !noCache {
+				credWriteCache(server, ec, logf)
+			}
+			return credPrint(ec)
+		},
+	}
+
+	cmd.Flags().StringVar(&server, "server", "", "ward server URL (required)")
+	cmd.Flags().BoolVar(&noKerberos, "no-kerberos", false, "skip Kerberos SPNEGO")
+	cmd.Flags().BoolVar(&noCache, "no-cache", false, "bypass local cache; always fetch a fresh credential")
+	cmd.Flags().BoolVar(&debugFlag, "debug", os.Getenv("WARD_DEBUG") != "", "verbose debug output to stderr (also: $WARD_DEBUG=1)")
+
+	return cmd
+}