scaleway · remyleone · Oct 13, 2025 · Oct 13, 2025
@@ -9,9 +9,16 @@ EXAMPLES:
   Get the kubeconfig for a given cluster
     scw k8s kubeconfig get 11111111-1111-1111-1111-111111111111
 
+  Get the kubeconfig for a given cluster by copying current secret_key to it
+    scw k8s kubeconfig get 11111111-1111-1111-1111-111111111111 auth-method=copy-cli-token
+
+  Get the kubeconfig for a given cluster and use legacy authentication
+    scw k8s kubeconfig get 11111111-1111-1111-1111-111111111111 auth-method=legacy
+
 ARGS:
-  cluster-id        Cluster ID from which to retrieve the kubeconfig
-  [region=fr-par]   Region to target. If none is passed will use default region from the config
+  cluster-id          Cluster ID from which to retrieve the kubeconfig
+  [auth-method=cli]   Which method to use to authenticate using kubelet (cli | copy-cli-token | legacy)
+  [region=fr-par]     Region to target. If none is passed will use default region from the config
 
 FLAGS:
   -h, --help   help for get

@@ -10,8 +10,15 @@ EXAMPLES:
   Install the kubeconfig for a given cluster and using the new context
     scw k8s kubeconfig install 11111111-1111-1111-1111-111111111111
 
+  Get the kubeconfig for a given cluster by copying current secret_key to it
+    scw k8s kubeconfig install 11111111-1111-1111-1111-111111111111 auth-method=copy-cli-token
+
+  Get the kubeconfig for a given cluster and use legacy authentication
+    scw k8s kubeconfig install 11111111-1111-1111-1111-111111111111 auth-method=legacy
+
 ARGS:
   cluster-id               Cluster ID from which to retrieve the kubeconfig
+  [auth-method=cli]        Which method to use to authenticate using kubelet (cli | copy-cli-token | legacy)
   [keep-current-context]   Whether or not to keep the current kubeconfig context unmodified
   [region=fr-par]          Region to target. If none is passed will use default region from the config
 

@@ -640,6 +640,7 @@ scw k8s kubeconfig get <cluster-id ...> [arg=value ...]
 | Name |   | Description |
 |------|---|-------------|
 | cluster-id | Required | Cluster ID from which to retrieve the kubeconfig |
+| auth-method | Default: `cli`<br />One of: `cli`, `copy-cli-token`, `legacy` | Which method to use to authenticate using kubelet |
 | region | Default: `fr-par` | Region to target. If none is passed will use default region from the config |
 
 
@@ -651,6 +652,16 @@ Get the kubeconfig for a given cluster
 scw k8s kubeconfig get 11111111-1111-1111-1111-111111111111
 ```
 
+Get the kubeconfig for a given cluster by copying current secret_key to it
+```
+scw k8s kubeconfig get 11111111-1111-1111-1111-111111111111 auth-method=copy-cli-token
+```
+
+Get the kubeconfig for a given cluster and use legacy authentication
+```
+scw k8s kubeconfig get 11111111-1111-1111-1111-111111111111 auth-method=legacy
+```
+
 
 
 
@@ -671,6 +682,7 @@ scw k8s kubeconfig install <cluster-id ...> [arg=value ...]
 | Name |   | Description |
 |------|---|-------------|
 | cluster-id | Required | Cluster ID from which to retrieve the kubeconfig |
+| auth-method | Default: `cli`<br />One of: `cli`, `copy-cli-token`, `legacy` | Which method to use to authenticate using kubelet |
 | keep-current-context |  | Whether or not to keep the current kubeconfig context unmodified |
 | region | Default: `fr-par` | Region to target. If none is passed will use default region from the config |
 
@@ -683,6 +695,16 @@ Install the kubeconfig for a given cluster and using the new context
 scw k8s kubeconfig install 11111111-1111-1111-1111-111111111111
 ```
 
+Get the kubeconfig for a given cluster by copying current secret_key to it
+```
+scw k8s kubeconfig install 11111111-1111-1111-1111-111111111111 auth-method=copy-cli-token
+```
+
+Get the kubeconfig for a given cluster and use legacy authentication
+```
+scw k8s kubeconfig install 11111111-1111-1111-1111-111111111111 auth-method=legacy
+```
+
 
 
 

@@ -1,9 +1,13 @@
 package k8s
 
 import (
+	"context"
+	"errors"
+
 	"github.com/scaleway/scaleway-cli/v2/core"
 	"github.com/scaleway/scaleway-cli/v2/core/human"
 	k8s "github.com/scaleway/scaleway-sdk-go/api/k8s/v1"
+	"github.com/scaleway/scaleway-sdk-go/scw"
 )
 
 // GetCommands returns cluster commands.
@@ -60,3 +64,25 @@ func GetCommands() *core.Commands {
 
 	return cmds
 }
+
+func extractSecretKey(ctx context.Context) (string, error) {
+	config, _ := scw.LoadConfigFromPath(core.ExtractConfigPath(ctx))
+	profileName := core.ExtractProfileName(ctx)
+
+	switch {
+	// Environment variable check
+	case core.ExtractEnv(ctx, scw.ScwSecretKeyEnv) != "":
+		return core.ExtractEnv(ctx, scw.ScwSecretKeyEnv), nil
+	// There is no config file
+	case config == nil:
+		return "", errors.New("config not provided")
+	// Config file with profile name
+	case config.Profiles[profileName] != nil && config.Profiles[profileName].SecretKey != nil:
+		return *config.Profiles[profileName].SecretKey, nil
+	// Default config
+	case config.SecretKey != nil:
+		return *config.SecretKey, nil
+	}
+
+	return "", errors.New("unable to find secret key")
+}
@@ -10,25 +10,25 @@ import (
 func Test_GetCluster(t *testing.T) {
 	t.Run("Simple", core.Test(&core.TestConfig{
 		Commands:   k8s.GetCommands(),
-		BeforeFunc: createCluster("get-cluster", "Cluster", kapsuleVersion, 1, "DEV1-M"),
+		BeforeFunc: createCluster("get-cluster", 1, "DEV1-M"),
 		Cmd:        "scw k8s cluster get {{ .Cluster.ID }}",
 		Check: core.TestCheckCombine(
 			core.TestCheckGolden(),
 			core.TestCheckExitCode(0),
 		),
-		AfterFunc: deleteCluster("Cluster"),
+		AfterFunc: deleteCluster(),
 	}))
 }
 
 func Test_WaitCluster(t *testing.T) {
 	t.Run("wait for pools", core.Test(&core.TestConfig{
 		Commands:   k8s.GetCommands(),
-		BeforeFunc: createCluster("wait-cluster", "Cluster", kapsuleVersion, 1, "GP1-XS"),
+		BeforeFunc: createCluster("wait-cluster", 1, "GP1-XS"),
 		Cmd:        "scw k8s cluster wait {{ .Cluster.ID }} wait-for-pools=true",
 		Check: core.TestCheckCombine(
 			core.TestCheckGolden(),
 			core.TestCheckExitCode(0),
 		),
-		AfterFunc: deleteCluster("Cluster"),
+		AfterFunc: deleteCluster(),
 	}))
 }
@@ -3,12 +3,9 @@ package k8s
 import (
 	"context"
 	"encoding/json"
-	"errors"
-	"fmt"
 	"reflect"
 
 	"github.com/scaleway/scaleway-cli/v2/core"
-	"github.com/scaleway/scaleway-sdk-go/scw"
 	"github.com/scaleway/scaleway-sdk-go/validation"
 )
 
@@ -28,39 +25,20 @@ func k8sExecCredentialCommand() *core.Command {
 }
 
 func k8sExecCredentialRun(ctx context.Context, _ any) (i any, e error) {
-	config, _ := scw.LoadConfigFromPath(core.ExtractConfigPath(ctx))
-	profileName := core.ExtractProfileName(ctx)
-
-	var token string
-	switch {
-	// Environment variable check
-	case core.ExtractEnv(ctx, scw.ScwSecretKeyEnv) != "":
-		token = core.ExtractEnv(ctx, scw.ScwSecretKeyEnv)
-	// There is no config file
-	case config == nil:
-		return nil, errors.New("config not provided")
-	// Config file with profile name
-	case config.Profiles[profileName] != nil && config.Profiles[profileName].SecretKey != nil:
-		token = *config.Profiles[profileName].SecretKey
-	// Default config
-	case config.SecretKey != nil:
-		token = *config.SecretKey
-	default:
-		return nil, errors.New("unable to find secret key")
+	secretKey, err := extractSecretKey(ctx)
+	if err != nil {
+		return nil, err
 	}
 
-	if !validation.IsSecretKey(token) {
-		return nil, fmt.Errorf(
-			"invalid secret key format '%s', expected a UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
-			token,
-		)
+	if !validation.IsSecretKey(secretKey) {
+		return nil, core.InvalidSecretKeyError(secretKey)
 	}
 
 	execCreds := ExecCredential{
 		APIVersion: "client.authentication.k8s.io/v1",
 		Kind:       "ExecCredential",
 		Status: &ExecCredentialStatus{
-			Token: token,
+			Token: secretKey,
 		},
 	}
 	response, err := json.MarshalIndent(execCreds, "", "    ")

@@ -20,7 +20,9 @@ const (
 )
 
 func Test_ExecCredential(t *testing.T) {
-	// expect to return default secret_key
+	////
+	// Simple expect to return current secret_key
+	////
 	t.Run("simple", core.Test(&core.TestConfig{
 		Commands:   k8s.GetCommands(),
 		TmpHomeDir: true,
@@ -37,7 +39,9 @@ func Test_ExecCredential(t *testing.T) {
 		),
 	}))
 
+	////
 	// expect to return 66666666-6666-6666-6666-666666666666
+	////
 	t.Run("with scw_secret_key env", core.Test(&core.TestConfig{
 		Commands:   k8s.GetCommands(),
 		TmpHomeDir: true,
@@ -53,7 +57,9 @@ func Test_ExecCredential(t *testing.T) {
 		),
 	}))
 
+	////
 	// expect to return p2 secret_key
+	////
 	t.Run("with profile env", core.Test(&core.TestConfig{
 		Commands:   k8s.GetCommands(),
 		TmpHomeDir: true,
@@ -71,7 +77,9 @@ func Test_ExecCredential(t *testing.T) {
 		),
 	}))
 
+	////
 	// expect to return p3 secret_key
+	////
 	t.Run("with profile flag", core.Test(&core.TestConfig{
 		Commands:   k8s.GetCommands(),
 		TmpHomeDir: true,
@@ -88,7 +96,9 @@ func Test_ExecCredential(t *testing.T) {
 		),
 	}))
 
+	////
 	// expect to return p3 secret_key
+	////
 	t.Run("with profile env and flag", core.Test(&core.TestConfig{
 		Commands:   k8s.GetCommands(),
 		TmpHomeDir: true,
@@ -111,12 +121,16 @@ func beforeFuncCreateConfigFile(c *scw.Config) core.BeforeFunc {
 	return func(ctx *core.BeforeFuncCtx) error {
 		homeDir := ctx.OverrideEnv["HOME"]
 		scwDir := path.Join(homeDir, ".config", "scw")
-		err := os.MkdirAll(scwDir, 0o0755)
-		if err != nil {
+		if err := os.MkdirAll(scwDir, 0o0755); err != nil {
+			return err
+		}
+
+		scwPath := path.Join(scwDir, "config.yaml")
+		if err := c.SaveTo(scwPath); err != nil {
 			return err
 		}
 
-		return c.SaveTo(path.Join(scwDir, "config.yaml"))
+		return nil
 	}
 }