saltext.kubernetes.utils._connection

Internal connection helpers for the saltext-kubernetes extension.

This module owns the auth-resolution logic for the extension. The publicly-exposed seam is _setup_conn(), which is re-exported through saltext.kubernetes.modules.kubernetesmod for backwards compatibility — its signature, kwargs handling, and {"kubeconfig": ..., "context": ...} return shape on the kubeconfig paths are preserved.

Auth precedence (first non-empty wins):

1. kubeconfig file path

2. kubeconfig inline base64 data

3. host + (api_key | username / password | client_cert / client_key)

4. In-cluster ServiceAccount

Within each path, individual values resolve in this order:

explicit kwarg > env var > pillar / minion config

The env-var names match the K8S_AUTH_* convention popularised by Ansible’s kubernetes.core collection, so users with multi-tool setups can share a single set of credentials.

Direct callers from outside the extension’s own internals should not be relying on this module — use the kubernetes execution module’s public functions instead.

Note

Header-based features (HTTP impersonation, custom default headers) are deliberately not handled here. They require injection at the ApiClient layer, which the current call-site pattern (kubernetes.client.CoreV1Api() with no explicit client) bypasses. A follow-up PR will route API instances through a shared factory and add impersonation on top.