Merge pull request #2585 from Jmacek/fix-incluster-auth-v36-bearertoken-key

k8s-ci-robot · web-flow · commit 46989af4f776 · 2026-05-22T04:10:47.000+05:30
config: write api_key['BearerToken'] so v36+ SDK auth works
diff --git a/kubernetes/base/config/incluster_config.py b/kubernetes/base/config/incluster_config.py
@@ -88,7 +88,7 @@ def _set_config(self, client_configuration):
         client_configuration.host = self.host
         client_configuration.ssl_ca_cert = self.ssl_ca_cert
         if self.token is not None:
-            client_configuration.api_key['authorization'] = self.token
+            client_configuration.api_key['BearerToken'] = self.token
         if not self._try_refresh_token:
             return
 
diff --git a/kubernetes/base/config/incluster_config_test.py b/kubernetes/base/config/incluster_config_test.py
@@ -91,7 +91,7 @@ def test_refresh_token(self):
         loader.load_and_set(config)
 
         self.assertEqual('bearer ' + _TEST_TOKEN,
-                         config.get_api_key_with_prefix('authorization'))
+                         config.get_api_key_with_prefix('BearerToken'))
         self.assertEqual('bearer ' + _TEST_TOKEN, loader.token)
         self.assertIsNotNone(loader.token_expires_at)
 
@@ -100,14 +100,31 @@ def test_refresh_token(self):
         loader._token_filename = self._create_file_with_temp_content(
             _TEST_NEW_TOKEN)
         self.assertEqual('bearer ' + _TEST_TOKEN,
-                         config.get_api_key_with_prefix('authorization'))
+                         config.get_api_key_with_prefix('BearerToken'))
 
         loader.token_expires_at = datetime.datetime.now()
         self.assertEqual('bearer ' + _TEST_NEW_TOKEN,
-                         config.get_api_key_with_prefix('authorization'))
+                         config.get_api_key_with_prefix('BearerToken'))
         self.assertEqual('bearer ' + _TEST_NEW_TOKEN, loader.token)
         self.assertGreater(loader.token_expires_at, old_token_expires_at)
 
+    def test_load_incluster_sets_request_authorization_header(self):
+        from kubernetes.client import ApiClient
+        cert_filename = self._create_file_with_temp_content(_TEST_CERT)
+        loader = self.get_test_loader(cert_filename=cert_filename)
+        config = Configuration()
+        loader.load_and_set(config)
+
+        api_client = ApiClient(config)
+        headers = {}
+        api_client.update_params_for_auth(headers, [], ['BearerToken'])
+
+        self.assertIn('authorization', headers)
+        self.assertTrue(
+            headers['authorization'].lower().startswith('bearer '),
+            "Expected a Bearer authorization header, got: %r"
+            % headers['authorization'])
+
     def _should_fail_load(self, config_loader, reason):
         try:
             config_loader.load_and_set()
diff --git a/kubernetes/base/config/kube_config.py b/kubernetes/base/config/kube_config.py
@@ -527,7 +527,7 @@ def _load_cluster_info(self):
 
     def _set_config(self, client_configuration):
         if 'token' in self.__dict__:
-            client_configuration.api_key['authorization'] = self.token
+            client_configuration.api_key['BearerToken'] = self.token
 
             def _refresh_api_key(client_configuration):
                 if ('expiry' in self.__dict__ and _is_expired(self.expiry)):
diff --git a/kubernetes/base/config/kube_config_test.py b/kubernetes/base/config/kube_config_test.py
@@ -369,7 +369,7 @@ def __init__(self, token=None, **kwargs):
         # Provided by the OpenAPI-generated Configuration class
         self.refresh_api_key_hook = None
         if token:
-            self.api_key['authorization'] = token
+            self.api_key['BearerToken'] = token
 
         self.__dict__.update(kwargs)
 
@@ -905,7 +905,7 @@ def test_gcp_no_refresh(self):
         self.assertIsNotNone(fake_config.refresh_api_key_hook)
         self.assertEqual(TEST_HOST, fake_config.host)
         self.assertEqual(BEARER_TOKEN_FORMAT % TEST_DATA_BASE64,
-                         fake_config.api_key['authorization'])
+                         fake_config.api_key['BearerToken'])
 
     def test_load_gcp_token_no_refresh(self):
         loader = KubeConfigLoader(
@@ -1283,14 +1283,14 @@ def test_new_client_from_config(self):
             config_file=config_file, context="simple_token")
         self.assertEqual(TEST_HOST, client.configuration.host)
         self.assertEqual(BEARER_TOKEN_FORMAT % TEST_DATA_BASE64,
-                         client.configuration.api_key['authorization'])
+                         client.configuration.api_key['BearerToken'])
 
     def test_new_client_from_config_dict(self):
         client = new_client_from_config_dict(
             config_dict=self.TEST_KUBE_CONFIG, context="simple_token")
         self.assertEqual(TEST_HOST, client.configuration.host)
         self.assertEqual(BEARER_TOKEN_FORMAT % TEST_DATA_BASE64,
-                         client.configuration.api_key['authorization'])
+                         client.configuration.api_key['BearerToken'])
 
     def test_no_users_section(self):
         expected = FakeConfig(host=TEST_HOST)
@@ -1317,7 +1317,7 @@ def test_user_exec_auth(self, mock):
             "token": token
         }
         expected = FakeConfig(host=TEST_HOST, api_key={
-                              "authorization": BEARER_TOKEN_FORMAT % token})
+                              "BearerToken": BEARER_TOKEN_FORMAT % token})
         actual = FakeConfig()
         KubeConfigLoader(
             config_dict=self.TEST_KUBE_CONFIG,
@@ -1347,13 +1347,13 @@ def test_user_exec_auth_with_expiry(self, mock):
             active_context="exec_cred_user").load_and_set(fake_config)
         # The kube config should use the first token returned from the
         # exec provider.
-        self.assertEqual(fake_config.api_key["authorization"],
+        self.assertEqual(fake_config.api_key["BearerToken"],
                          BEARER_TOKEN_FORMAT % expired_token)
         # Should now be populated with a method to refresh expired tokens.
         self.assertIsNotNone(fake_config.refresh_api_key_hook)
         # Refresh the token; the kube config should be updated.
         fake_config.refresh_api_key_hook(fake_config)
-        self.assertEqual(fake_config.api_key["authorization"],
+        self.assertEqual(fake_config.api_key["BearerToken"],
                          BEARER_TOKEN_FORMAT % current_token)
 
     @mock.patch('kubernetes.config.kube_config.ExecProvider.run')
@@ -1395,7 +1395,7 @@ def test_user_cmd_path(self):
         return_value = A(token, parse_rfc3339(datetime.datetime.now()))
         CommandTokenSource.token = mock.Mock(return_value=return_value)
         expected = FakeConfig(api_key={
-                              "authorization": BEARER_TOKEN_FORMAT % token})
+                              "BearerToken": BEARER_TOKEN_FORMAT % token})
         actual = FakeConfig()
         KubeConfigLoader(
             config_dict=self.TEST_KUBE_CONFIG,
@@ -1408,7 +1408,7 @@ def test_user_cmd_path_empty(self):
         return_value = A(token, parse_rfc3339(datetime.datetime.now()))
         CommandTokenSource.token = mock.Mock(return_value=return_value)
         expected = FakeConfig(api_key={
-                              "authorization": BEARER_TOKEN_FORMAT % token})
+                              "BearerToken": BEARER_TOKEN_FORMAT % token})
         actual = FakeConfig()
         self.expect_exception(lambda: KubeConfigLoader(
             config_dict=self.TEST_KUBE_CONFIG,
@@ -1422,7 +1422,7 @@ def test_user_cmd_path_with_scope(self):
         return_value = A(token, parse_rfc3339(datetime.datetime.now()))
         CommandTokenSource.token = mock.Mock(return_value=return_value)
         expected = FakeConfig(api_key={
-                              "authorization": BEARER_TOKEN_FORMAT % token})
+                              "BearerToken": BEARER_TOKEN_FORMAT % token})
         actual = FakeConfig()
         self.expect_exception(lambda: KubeConfigLoader(
             config_dict=self.TEST_KUBE_CONFIG,
@@ -1723,7 +1723,7 @@ def test_new_client_from_config(self):
             config_file=kubeconfigs, context="simple_token")
         self.assertEqual(TEST_HOST, client.configuration.host)
         self.assertEqual(BEARER_TOKEN_FORMAT % TEST_DATA_BASE64,
-                         client.configuration.api_key['authorization'])
+                         client.configuration.api_key['BearerToken'])
 
     def test_merge_with_context_in_different_file(self):
         kubeconfigs = self._create_multi_config(self.TEST_KUBE_CONFIG_SET2)
@@ -1739,7 +1739,7 @@ def test_merge_with_context_in_different_file(self):
         self.assertEqual(active_context, expected_contexts[0])
         self.assertEqual(TEST_HOST, client.configuration.host)
         self.assertEqual(BEARER_TOKEN_FORMAT % TEST_DATA_BASE64,
-                         client.configuration.api_key['authorization'])
+                         client.configuration.api_key['BearerToken'])
 
     def test_save_changes(self):
         kubeconfigs = self._create_multi_config(self.TEST_KUBE_CONFIG_SET1)
diff --git a/kubernetes_asyncio/config/incluster_config.py b/kubernetes_asyncio/config/incluster_config.py
@@ -88,7 +88,7 @@ def _set_config(self, client_configuration):
         client_configuration.host = self.host
         client_configuration.ssl_ca_cert = self.ssl_ca_cert
         if self.token is not None:
-            client_configuration.api_key['authorization'] = self.token
+            client_configuration.api_key['BearerToken'] = self.token
         if not self._try_refresh_token:
             return
 
diff --git a/kubernetes_asyncio/config/incluster_config_test.py b/kubernetes_asyncio/config/incluster_config_test.py
@@ -91,7 +91,7 @@ async def test_refresh_token(self):
         loader.load_and_set(config)
 
         self.assertEqual('bearer ' + _TEST_TOKEN,
-                         await config.get_api_key_with_prefix('authorization'))
+                         await config.get_api_key_with_prefix('BearerToken'))
         self.assertEqual('bearer ' + _TEST_TOKEN, loader.token)
         self.assertIsNotNone(loader.token_expires_at)
 
@@ -100,11 +100,11 @@ async def test_refresh_token(self):
         loader._token_filename = self._create_file_with_temp_content(
             _TEST_NEW_TOKEN)
         self.assertEqual('bearer ' + _TEST_TOKEN,
-                         await config.get_api_key_with_prefix('authorization'))
+                         await config.get_api_key_with_prefix('BearerToken'))
 
         loader.token_expires_at = datetime.datetime.now()
         self.assertEqual('bearer ' + _TEST_NEW_TOKEN,
-                         await config.get_api_key_with_prefix('authorization'))
+                         await config.get_api_key_with_prefix('BearerToken'))
         self.assertEqual('bearer ' + _TEST_NEW_TOKEN, loader.token)
         self.assertGreater(loader.token_expires_at, old_token_expires_at)
 
