fluent-plugin-kusto 0.0.2.beta → 0.0.3.beta

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cc350e3ff175a97e394fb513ed353bc305944c42474ce443030c2ebc855f9d22
-  data.tar.gz: 004040b7e123a5f713302fe094cf3ac1d4c8ddc25f7778acf43311084cd5d60e
+  metadata.gz: 2f46e06c2f84df5ddae86b8bffc55bbd0e7a92ad636d4c02512b7c9fa909e563
+  data.tar.gz: ef350fc500e82cbf80a0b91c1247463b8a4a00487324bbbc39f04a4017436d90
 SHA512:
-  metadata.gz: 6609741147c05adf1b900a71eeed74f7301541bfb79e47320f3df797108ac0c3bc436df0c1e86862431274caa9cba94d9b27fa3e581aab5c17ea1a6a76f9cb15
-  data.tar.gz: 25bcc39f12c974a289a3f2ef8943e4419ac0d8b72d631e1843fc9ba67e351848652d6db51a8935b081182de9c0ba3fdb8e63c8e40da83d2489d06f60c06a7978
+  metadata.gz: 00634a1a008a0dcb07929181b4946ad42b5d0d2d8b4aa1099498f13f72fd4b5479cb64f347fb065937d930870ca933dd6320cac8c096d0e689415dcd79564b5b
+  data.tar.gz: db35058e072ed1bdabce57439db87c161a026a4654bc61afd40f9a87f305c75a146017fbbdf91f3c71e7017a24b80ffed48eb061167c44361e3792615baa6b84

data/lib/fluent/plugin/auth/aad_tokenprovider.rb

@@ -52,7 +52,7 @@ class AadTokenProvider < AbstractTokenProvider
 
   def post_token_request
     headers = header
-    max_retries = 10
+    max_retries = 3  # Reduced from 10 to prevent rate limiting cascade
     retries = 0
     uri = URI.parse(@token_request_uri)
     form_data = URI.encode_www_form(
@@ -63,8 +63,7 @@ class AadTokenProvider < AbstractTokenProvider
     )
     while retries < max_retries
       begin
-        http = Net::HTTP.new(uri.host, uri.port)
-        http.use_ssl = (uri.scheme == 'https')
+        http = create_http_client(uri)
         request = Net::HTTP::Post.new(uri.request_uri, headers)
         request.body = form_data
 

data/lib/fluent/plugin/auth/mi_tokenprovider.rb

@@ -73,7 +73,7 @@ class ManagedIdentityTokenProvider < AbstractTokenProvider
     uri = URI.parse(@token_acquire_url)
     while retries < max_retries
       begin
-        http = Net::HTTP.new(uri.host, uri.port)
+        http = create_http_client(uri)
         request = Net::HTTP::Get.new(uri.request_uri, headers)
         response = http.request(request)
         return JSON.parse(response.body) if response.code.to_i == 200

data/lib/fluent/plugin/auth/tokenprovider_base.rb

@@ -1,13 +1,46 @@
 # frozen_string_literal: true
 
 require 'logger'
+require 'fluent/plugin/kusto_constants'
 
 # AbstractTokenProvider defines the interface and shared logic for all token providers.
+# Enhanced with retry logic and better token expiry management to prevent timeout issues.
 class AbstractTokenProvider
   def initialize(outconfiguration)
     @logger = setup_logger(outconfiguration)
     setup_config(outconfiguration)
-    @token_state = { access_token: nil, expiry_time: nil, token_details_mutex: Mutex.new }
+    @token_state = { 
+      access_token: nil, 
+      expiry_time: nil, 
+      token_details_mutex: Mutex.new,
+      refresh_in_progress: false,
+      consecutive_failures: 0,
+      last_failure_time: nil,
+      creation_time: Time.now,
+      refresh_count: 0,
+      last_successful_refresh: nil
+    }
+    
+    # Simplified retry configuration using constants
+    @retry_config = {
+      max_retries: KustoConstants::Authentication::DEFAULT_MAX_RETRIES,
+      base_delay: KustoConstants::Authentication::DEFAULT_BASE_DELAY,
+      backoff_multiplier: KustoConstants::Authentication::DEFAULT_BACKOFF_MULTIPLIER,
+      max_delay: KustoConstants::Authentication::DEFAULT_MAX_DELAY
+    }
+    
+    # Minimal health configuration for 12-hour reset
+    @health_config = {
+      max_token_age: KustoConstants::HealthCheck::MAX_COMPONENT_AGE_SECONDS,
+      max_refresh_cycles: KustoConstants::HealthCheck::MAX_REFRESH_CYCLES
+    }
+    
+    # HTTP timeout configuration - consistent across all token providers
+    @http_config = {
+      open_timeout: KustoConstants::Authentication::HTTP_OPEN_TIMEOUT,
+      read_timeout: KustoConstants::Authentication::HTTP_READ_TIMEOUT,
+      write_timeout: KustoConstants::Authentication::HTTP_WRITE_TIMEOUT
+    }
   end
 
   # Abstract method: must be implemented by subclasses to fetch a new token.
@@ -15,18 +48,65 @@ class AbstractTokenProvider
     raise NotImplementedError, 'Subclasses must implement fetch_token'
   end
 
-  # Public method to get a valid token, refreshing if needed.
+  # Public method to get a valid token, refreshing if needed with enhanced retry logic.
   def get_token
     @token_state[:token_details_mutex].synchronize do
       if saved_token_need_refresh?
+        if @token_state[:refresh_in_progress]
+          @logger.debug("Token refresh already in progress, waiting...")
+          return wait_for_refresh_completion
+        end
+        
         @logger.info("Refreshing token. Previous expiry: #{@token_state[:expiry_time]}")
-        refresh_saved_token
+        refresh_saved_token_with_retry
         @logger.info("New token expiry: #{@token_state[:expiry_time]}")
+      else
+        @logger.debug("Reusing existing token (expires at #{@token_state[:expiry_time]})")
       end
       @token_state[:access_token]
     end
   end
 
+  # Health check method - returns health status as hash
+  # Note: This method should be called from within a synchronized context
+  def health_status
+    {
+      token_valid: !saved_token_need_refresh?,
+      token_expires_at: @token_state[:expiry_time],
+      consecutive_failures: @token_state[:consecutive_failures],
+      last_failure_time: @token_state[:last_failure_time],
+      refresh_in_progress: @token_state[:refresh_in_progress],
+      refresh_count: @token_state[:refresh_count],
+      last_successful_refresh: @token_state[:last_successful_refresh],
+      token_age_hours: @token_state[:creation_time] ? (Time.now - @token_state[:creation_time]) / 3600 : 0
+    }
+  end
+
+  # Thread-safe wrapper for health_status when called externally
+  def get_health_status
+    @token_state[:token_details_mutex].synchronize do
+      health_status
+    end
+  end
+
+  # Log health status for operational visibility
+  def log_health_status(context = "")
+    status = health_status
+    context_prefix = context.empty? ? "" : "#{context}: "
+    
+    @logger.info("#{context_prefix}Token provider health - " \
+                "valid: #{status[:token_valid]}, " \
+                "expires_at: #{status[:token_expires_at]}, " \
+                "failures: #{status[:consecutive_failures]}, " \
+                "refresh_count: #{status[:refresh_count]}, " \
+                "age_hours: #{status[:token_age_hours].round(1)}")
+    
+    if status[:consecutive_failures] > 0
+      @logger.warn("#{context_prefix}Token provider has #{status[:consecutive_failures]} consecutive failures, " \
+                  "last failure: #{status[:last_failure_time]}")
+    end
+  end
+
   private
 
   def setup_logger(outconfiguration)
@@ -38,20 +118,189 @@ class AbstractTokenProvider
   end
 
   def saved_token_need_refresh?
-    @token_state[:access_token].nil? || @token_state[:expiry_time].nil? || @token_state[:expiry_time] <= Time.now
+    return true if @token_state[:access_token].nil? || @token_state[:expiry_time].nil?
+    
+    # Check for long-running pod health issues
+    if long_running_pod_health_check_needed?
+      @logger.warn("Long-running pod health issue detected, forcing token refresh")
+      return true
+    end
+    
+    # Use token expiry buffer from constants to prevent race conditions
+    @token_state[:expiry_time] <= (Time.now + KustoConstants::Authentication::TOKEN_EXPIRY_BUFFER_SECONDS)
+  end
+
+  def long_running_pod_health_check_needed?
+    current_time = Time.now
+    
+    # Check if token is too old (12+ hours) - force refresh to prevent staleness
+    if @token_state[:creation_time] && 
+       (current_time - @token_state[:creation_time]) > @health_config[:max_token_age]
+      @logger.warn("Token provider is #{(current_time - @token_state[:creation_time]) / 3600} hours old, forcing refresh")
+      reset_token_state_for_long_running_pod
+      return true
+    end
+    
+    # Check if too many refresh cycles (potential state corruption)
+    if @token_state[:refresh_count] > @health_config[:max_refresh_cycles]
+      @logger.warn("Token provider has #{@token_state[:refresh_count]} refresh cycles, resetting state")
+      reset_token_state_for_long_running_pod
+      return true
+    end
+    
+    # Check if last successful refresh was too long ago
+    if @token_state[:last_successful_refresh] &&
+       (current_time - @token_state[:last_successful_refresh]) > (@health_config[:max_token_age] / 2)
+      @logger.warn("No successful refresh for #{(current_time - @token_state[:last_successful_refresh]) / 3600} hours")
+      return true
+    end
+    
+    false
   end
 
-  def refresh_saved_token
-    token_response = fetch_token
-    @token_state[:access_token] = token_response[:access_token]
-    @token_state[:expiry_time] = get_token_expiry_time(token_response[:expires_in])
+  def reset_token_state_for_long_running_pod
+    log_health_status("Before reset")
+    @logger.info("Resetting token state for long-running pod health")
+    
+    @token_state[:access_token] = nil
+    @token_state[:expiry_time] = nil
+    @token_state[:consecutive_failures] = 0
+    @token_state[:last_failure_time] = nil
+    @token_state[:creation_time] = Time.now
+    @token_state[:refresh_count] = 0
+    @token_state[:last_successful_refresh] = nil
+    
+    log_health_status("After reset")
+  end
+
+  def wait_for_refresh_completion
+    # Wait for ongoing refresh to complete (max 30 seconds)
+    max_wait = 30
+    start_time = Time.now
+    
+    while @token_state[:refresh_in_progress] && (Time.now - start_time) < max_wait
+      sleep(0.5)
+    end
+    
+    # Return token if refresh completed successfully
+    return @token_state[:access_token] if @token_state[:access_token] && !saved_token_need_refresh?
+    
+    # If still no valid token, attempt refresh ourselves
+    @token_state[:refresh_in_progress] = false
+    refresh_saved_token_with_retry
+    @token_state[:access_token]
+  end
+
+  def refresh_saved_token_with_retry
+    @token_state[:refresh_in_progress] = true
+    
+    begin
+      token_response = fetch_token_with_retry
+      @token_state[:access_token] = token_response[:access_token]
+      @token_state[:expiry_time] = get_token_expiry_time(token_response[:expires_in])
+      @token_state[:consecutive_failures] = 0
+      @token_state[:last_failure_time] = nil
+      @token_state[:refresh_count] += 1
+      @token_state[:last_successful_refresh] = Time.now
+      
+      @logger.info("Token refresh successful (cycle #{@token_state[:refresh_count]})")
+      
+      # Log health status after successful refresh for operational visibility
+      log_health_status("After successful refresh")
+    ensure
+      @token_state[:refresh_in_progress] = false
+    end
+  end
+
+  def fetch_token_with_retry
+    attempt = 0
+    last_exception = nil
+    
+    while attempt < @retry_config[:max_retries]
+      attempt += 1
+      
+      begin
+        @logger.info("Attempting token fetch (attempt #{attempt}/#{@retry_config[:max_retries]})")
+        return fetch_token
+        
+      rescue StandardError => e
+        last_exception = e
+        @logger.warn("Token fetch attempt #{attempt} failed: #{e.message}")
+        
+        # Don't retry on permanent errors
+        if permanent_error?(e)
+          @logger.error("Permanent error detected, not retrying: #{e.message}")
+          record_failure(e)
+          raise e
+        end
+        
+        # Calculate delay with exponential backoff
+        if attempt < @retry_config[:max_retries]
+          delay = calculate_retry_delay(attempt)
+          @logger.info("Retrying in #{delay} seconds...")
+          sleep(delay)
+        end
+      end
+    end
+    
+    # All retries exhausted
+    record_failure(last_exception)
+    raise last_exception || StandardError.new("Token fetch failed after #{@retry_config[:max_retries]} attempts")
+  end
+
+  def calculate_retry_delay(attempt)
+    # Exponential backoff: base_delay * backoff_multiplier^(attempt-1)
+    # Example: 1s, 2s, 4s for base_delay=1, backoff_multiplier=2
+    delay = @retry_config[:base_delay] * (@retry_config[:backoff_multiplier] ** (attempt - 1))
+    delay = [@retry_config[:max_delay], delay].min
+    
+    # Add jitter to prevent thundering herd
+    # When many concurrent refreshes are happening, this will space them out better
+    jitter = delay * 0.1
+    delay += rand(-jitter..jitter)
+    
+    [delay, KustoConstants::Authentication::MIN_RETRY_DELAY].max # Minimum retry delay from constants
+  end
+
+  def permanent_error?(exception)
+    return false unless exception.respond_to?(:message)
+    
+    message = exception.message.to_s.downcase
+    permanent_patterns = [
+      'unauthorized',
+      'forbidden',
+      'invalid_client',
+      'invalid_grant',
+      'access_denied'
+    ]
+    
+    permanent_patterns.any? { |pattern| message.include?(pattern) }
+  end
+
+  def record_failure(exception)
+    @token_state[:consecutive_failures] += 1
+    @token_state[:last_failure_time] = Time.now
+    @logger.error("Token fetch failed: #{exception&.message || 'Unknown error'}")
   end
 
   def get_token_expiry_time(expires_in_seconds)
     if expires_in_seconds.nil? || expires_in_seconds.to_i <= 0
-      Time.now + 3540 # Default to 59 minutes if expires_in is not provided or invalid
+      # Default to 55 minutes if expires_in is not provided or invalid
+      Time.now + KustoConstants::Authentication::DEFAULT_TOKEN_EXPIRY_SECONDS
     else
-      Time.now + expires_in_seconds.to_i - 1
+      # Use buffer from constants for better safety margin
+      Time.now + expires_in_seconds.to_i - KustoConstants::Authentication::TOKEN_EXPIRY_BUFFER_SECONDS
     end
   end
+
+  # Helper method to create HTTP client with consistent timeout configuration
+  # This prevents hanging connections and ensures consistent behavior across all token providers
+  def create_http_client(uri)
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = (uri.scheme == 'https')
+    http.open_timeout = @http_config[:open_timeout]
+    http.read_timeout = @http_config[:read_timeout] 
+    http.write_timeout = @http_config[:write_timeout]
+    http
+  end
 end

data/lib/fluent/plugin/auth/wif_tokenprovider.rb

@@ -34,7 +34,7 @@ class WorkloadIdentity < AbstractTokenProvider
   end
 
   def acquire_workload_identity_token
-    oidc_token = File.read(@token_file).strip
+    oidc_token = read_token_file_safely
     uri = URI.parse(format(AZURE_OAUTH2_TOKEN_ENDPOINT, tenant_id: @tenant_id))
     req = Net::HTTP::Post.new(uri)
     req.set_form_data(
@@ -44,11 +44,26 @@ class WorkloadIdentity < AbstractTokenProvider
       'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
       'client_assertion' => oidc_token
     )
-    http = Net::HTTP.new(uri.host, uri.port)
-    http.use_ssl = true
+    http = create_http_client(uri)
     res = http.request(req)
     raise "Failed to get access token: #{res.code} #{res.body}" unless res.is_a?(Net::HTTPSuccess)
 
     JSON.parse(res.body)
   end
+
+  def read_token_file_safely
+    max_attempts = 3
+    max_attempts.times do |attempt|
+      begin
+        # Safe file reading with corruption detection
+        token = File.read(@token_file).strip
+        raise "Empty or invalid token file" if token.empty? || token.length < 10
+        return token
+      rescue => e
+        @logger.warn("Token file read attempt #{attempt + 1}/#{max_attempts} failed: #{e.message}")
+        raise e if attempt == max_attempts - 1
+        sleep(0.1 * (2 ** attempt))  # Exponential backoff: 0.1s, 0.2s, 0.4s
+      end
+    end
+  end
 end

data/lib/fluent/plugin/client.rb

@@ -26,6 +26,19 @@ class Client
     @resources_expiry_time = nil
     @outconfiguration = outconfiguration
     @token_provider = create_token_provider(outconfiguration)
+    
+    # Minimal state tracking for 12-hour reset
+    @client_state = {
+      creation_time: Time.now,
+      resource_fetch_count: 0,
+      last_successful_fetch: nil
+    }
+    
+    # Simplified health configuration
+    @health_config = {
+      max_client_age: 43_200, # 12 hours - force reset after this time
+      max_fetch_cycles: 200 # Force reset after too many fetch cycles
+    }
   end
 
   def resources
@@ -36,6 +49,17 @@ class Client
     @cached_resources
   end
 
+  # Minimal health status for operational visibility
+  def health_status
+    {
+      resources_cached: !@cached_resources.nil?,
+      cache_expires_at: @resources_expiry_time,
+      fetch_cycles: @client_state[:resource_fetch_count],
+      pod_age_hours: (Time.now - @client_state[:creation_time]) / 3600,
+      last_successful_fetch: @client_state[:last_successful_fetch]
+    }
+  end
+
   attr_reader :blob_sas_uri, :queue_sas_uri, :identity_token, :logger, :blob_rows, :data_endpoint, :token_provider
 
   private
@@ -48,10 +72,56 @@ class Client
   end
 
   def resources_cached?
+    # Check for long-running pod health issues first
+    if long_running_pod_health_check_needed?
+      @logger.warn("Long-running pod health issue detected, forcing resource refresh")
+      return false
+    end
+    
     # Check if resources are cached and not expired
     @cached_resources && @resources_expiry_time && @resources_expiry_time > Time.now
   end
 
+  def long_running_pod_health_check_needed?
+    current_time = Time.now
+    
+    # Check if client is too old (12+ hours) - force reset to prevent staleness
+    if @client_state[:creation_time] && 
+       (current_time - @client_state[:creation_time]) > @health_config[:max_client_age]
+      @logger.warn("Client is #{(current_time - @client_state[:creation_time]) / 3600} hours old, forcing reset")
+      reset_client_state_for_long_running_pod
+      return true
+    end
+    
+    # Check if too many fetch cycles (potential state corruption)
+    if @client_state[:resource_fetch_count] > @health_config[:max_fetch_cycles]
+      @logger.warn("Client has #{@client_state[:resource_fetch_count]} fetch cycles, resetting state")
+      reset_client_state_for_long_running_pod
+      return true
+    end
+    
+    # Check if no successful fetch for too long (6 hours)
+    if @client_state[:last_successful_fetch] &&
+       (current_time - @client_state[:last_successful_fetch]) > 21_600
+      @logger.warn("No successful resource fetch for #{(current_time - @client_state[:last_successful_fetch]) / 3600} hours")
+      return true
+    end
+    
+    false
+  end
+
+  def reset_client_state_for_long_running_pod
+    @logger.info("Resetting client state for long-running pod health")
+    
+    @cached_resources = nil
+    @resources_expiry_time = nil
+    @client_state[:creation_time] = Time.now
+    @client_state[:resource_fetch_count] = 0
+    @client_state[:last_successful_fetch] = nil
+    @client_state[:consecutive_failures] = 0
+    
+      end
+
   def fetch_and_cache_resources
     # Fetch resources from Kusto and cache them
     @logger.info('Fetching resources from Kusto...')
@@ -137,7 +207,18 @@ class Client
       queue_sas_uri: queue_sas_uri,
       identity_token: identity_token
     }
-    @resources_expiry_time = Time.now + 21_600 # Cache for 6 hours
+    
+    # Add jitter (±30 minutes) to prevent thundering herd
+    base_ttl = 21_600 # 6 hours
+    jitter = rand(-1800..1800) # ±30 minutes
+    @resources_expiry_time = Time.now + base_ttl + jitter
+    
+    # Update client state tracking
+    @client_state[:resource_fetch_count] += 1
+    @client_state[:last_successful_fetch] = Time.now
+    @client_state[:consecutive_failures] = 0
+    
+    @logger.info("Resources cached with jitter: #{jitter / 60} minutes (expires at #{@resources_expiry_time}) - fetch cycle #{@client_state[:resource_fetch_count]}")
   end
 
   def validate_kusto_resource_rows(blob_rows, aad_token_rows)

data/lib/fluent/plugin/ingester.rb

@@ -25,7 +25,6 @@ class Ingester
   def initialize(outconfiguration)
     # Initialize Ingester with configuration and resources
     @client = self.class.client(outconfiguration)
-    @resources = @client.resources
     @logger = begin
       outconfiguration.logger
     rescue StandardError
@@ -34,8 +33,19 @@ class Ingester
   end
 
   def self.client(outconfiguration)
-    # Cache and return a Client instance
-    self.client_cache ||= Client.new(outconfiguration)
+    # Thread-safe singleton client cache with basic validation
+    return self.client_cache if self.client_cache
+
+    # Double-checked locking pattern for thread safety
+    @client_mutex ||= Mutex.new
+    @client_mutex.synchronize do
+      self.client_cache ||= Client.new(outconfiguration)
+    end
+  end
+
+  # CRITICAL FIX: Dynamic resource access instead of stale cached reference
+  def resources
+    @client.resources
   end
 
   def build_uri(container_sas_uri, name)
@@ -56,7 +66,8 @@ class Ingester
     request['x-ms-blob-type'] = 'BlockBlob'
     request['Content-Length'] = blob_size.to_s
 
-    response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == 'https') do |http|
+    response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == 'https',
+                               open_timeout: 10, read_timeout: 30, write_timeout: 10) do |http|
       http.request(request)
     end
 
@@ -111,7 +122,8 @@ class Ingester
     request = Net::HTTP::Post.new(post_uri)
     request['Content-Type'] = 'application/xml'
     request.body = "<QueueMessage><MessageText>#{encoded_message}</MessageText></QueueMessage>"
-    response = Net::HTTP.start(post_uri.hostname, post_uri.port, use_ssl: post_uri.scheme == 'https') do |http|
+    response = Net::HTTP.start(post_uri.hostname, post_uri.port, use_ssl: post_uri.scheme == 'https',
+                               open_timeout: 10, read_timeout: 30, write_timeout: 10) do |http|
       http.request(request)
     end
     {
@@ -124,10 +136,12 @@ class Ingester
 
   def upload_data_to_blob_and_queue(raw_data, blob_name, db, table_name, compression_enabled = true, mapping_reference = nil)
     # Upload data to blob and send ingestion message to queue
-    blob_uri, blob_size_bytes = upload_to_blob(@resources[:blob_sas_uri], raw_data, blob_name)
-    message = prepare_ingestion_message2(db, table_name, blob_uri, blob_size_bytes, @resources[:identity_token],
+    # Use dynamic resources method instead of stale cached reference
+    current_resources = resources
+    blob_uri, blob_size_bytes = upload_to_blob(current_resources[:blob_sas_uri], raw_data, blob_name)
+    message = prepare_ingestion_message2(db, table_name, blob_uri, blob_size_bytes, current_resources[:identity_token],
                                          compression_enabled, mapping_reference)
-    post_message_to_queue_http(@resources[:queue_sas_uri], message)
+    post_message_to_queue_http(current_resources[:queue_sas_uri], message)
     { blob_uri: blob_uri, blob_size_bytes: blob_size_bytes }
   end
 

data/lib/fluent/plugin/kusto_constants.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+# KustoConstants contains shared configuration constants used across the Kusto plugin
+# to avoid magic numbers and ensure consistency.
+module KustoConstants
+  # Authentication and token management constants
+  module Authentication
+    # Token expiry buffer time in seconds (5 minutes)
+    # Used to refresh tokens before they actually expire to prevent race conditions
+    TOKEN_EXPIRY_BUFFER_SECONDS = 300
+    
+    # Default token expiry time in seconds (55 minutes)
+    # Used when expires_in is not provided or invalid
+    DEFAULT_TOKEN_EXPIRY_SECONDS = 3300
+    
+    # Maximum retry attempts for token fetching
+    DEFAULT_MAX_RETRIES = 3
+    
+    # Base delay for exponential backoff in seconds
+    DEFAULT_BASE_DELAY = 1
+    
+    # Backoff multiplier for exponential backoff
+    DEFAULT_BACKOFF_MULTIPLIER = 2
+    
+    # Maximum delay between retries in seconds
+    DEFAULT_MAX_DELAY = 30
+    
+    # Minimum retry delay in seconds (prevents too-rapid retries)
+    MIN_RETRY_DELAY = 0.1
+    
+    # HTTP client timeout settings
+    HTTP_OPEN_TIMEOUT = 10
+    HTTP_READ_TIMEOUT = 30
+    HTTP_WRITE_TIMEOUT = 10
+  end
+  
+  # Resource caching and client management constants
+  module ResourceCache
+    # Base TTL for resource cache in seconds (6 hours)
+    BASE_CACHE_TTL_SECONDS = 21_600
+    
+    # Maximum jitter for cache TTL in seconds (±30 minutes)
+    CACHE_TTL_JITTER_SECONDS = 1800
+  end
+  
+  # Long-running pod health check constants
+  module HealthCheck
+    # Maximum age before forcing reset in seconds (12 hours)
+    MAX_COMPONENT_AGE_SECONDS = 43_200
+    
+    # Maximum refresh cycles before forcing reset
+    MAX_REFRESH_CYCLES = 100
+    
+    # Maximum resource fetch cycles before forcing reset
+    MAX_FETCH_CYCLES = 200
+  end
+end

data/lib/fluent/plugin/kusto_query.rb

@@ -8,6 +8,7 @@ require 'uri'
 require 'json'
 require 'securerandom'
 require 'base64'
+require_relative 'kusto_version'
 
 def to_ingest_endpoint(data_endpoint)
   # Convert a Kusto data endpoint to its corresponding ingest endpoint
@@ -24,12 +25,18 @@ def run_kusto_api_query(query, data_endpoint, token_provider, use_ingest_endpoin
 
   http = Net::HTTP.new(uri.host, uri.port)
   http.use_ssl = true
+  # Add timeouts to prevent hanging connections
+  http.open_timeout = 10
+  http.read_timeout = 30
+  http.write_timeout = 10
 
   headers = {
     'Authorization' => "Bearer #{access_token}",
     'Content-Type' => 'application/json',
     'Accept' => 'application/json',
-    'x-ms-client-version' => 'Kusto.FluentD:1.0.0'
+    'x-ms-client-version' => "Kusto.FluentD:#{Fluent::Plugin::Kusto::VERSION}",
+    'x-ms-app' => 'Kusto.FluentD',
+    'x-ms-user' => 'Kusto.FluentD'
   }
 
   body_hash = { csl: query }

data/lib/fluent/plugin/kusto_version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Fluent
+  module Plugin
+    module Kusto
+      VERSION = '0.0.3.beta'
+    end
+  end
+end