fix(control-plane): iterate projects to refresh running session tokens

[markturansky]

Summary

• refreshAllRunningTokens called factory.ForProject(ctx, "") which the SDK rejects with "project is required"
• The refresh loop was silently failing every 10 minutes, leaving runner pod BOT_TOKEN files stale
• BOT_TOKEN expiry caused UNAUTHENTICATED errors on the gRPC stream — runner unable to push session messages
• Fix: list all projects first (using a sentinel project client for the /projects endpoint which ignores the project header), then list running sessions per project and refresh each token

Test plan

• Deploy updated control-plane
• Start a session, wait 10+ minutes
• Verify control-plane logs show token refresh success (no "project is required" warn)
• Verify runner pod continues streaming without UNAUTHENTICATED errors after 15 minutes

🤖 Generated with Claude Code

Summary by CodeRabbit

• Improvements
  • Token refresh operations now reliably support multi-project environments with enhanced error handling that prevents single-project failures from disrupting the entire refresh process.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

refreshAllRunningTokens refactored to traverse multiple projects and their running sessions. Added nested pagination logic for projects and sessions per project, with granular error handling that skips failed project clients instead of halting the entire operation.

Changes

Cohort / File(s)	Summary
Multi-project token refresh components/ambient-control-plane/internal/reconciler/kube_reconciler.go	Modified to list projects via SDK, then obtain project-scoped clients to list running sessions and refresh runner token secrets. Added nested pagination (projectOpts and sessionOpts). Error handling now gracefully continues on per-project client acquisition failure and breaks inner pagination on session listing errors instead of aborting the entire refresh loop.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 inconclusive)

Check name	Status	Explanation	Resolution
Performance And Algorithmic Complexity	❌ Error	Code has blocking pagination termination bug using request page/size instead of response metadata, causing premature exit and stale tokens.	Extract Page and Size from response metadata with request value fallbacks, then use extracted values in loop termination and pagination increment.
Security And Secret Handling	❓ Inconclusive	File examination unable to complete; file path ./components/ambient-control-plane/internal/reconciler/kube_reconciler.go does not exist or is inaccessible.	Verify the file path is correct and the file exists in the repository. Check if the codebase structure matches the expected layout.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (fix(control-plane): ...) and accurately describes the main change: iterating projects to refresh running session tokens.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Kubernetes Resource Safety	✅ Passed	PR modifies only refreshAllRunningTokens function to fix pagination in existing Secret resource operations without altering Kubernetes resource safety patterns.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cp-token-refresh-loop

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/cp-token-refresh-loop

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}