Skip to content

config: write api_key['BearerToken'] so v36+ SDK auth works #2585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
k8s-ci-robot merged 2 commits into from
May 21, 2026
Merged

config: write api_key['BearerToken'] so v36+ SDK auth works #2585

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c3608a4
config: write api_key['BearerToken'] so v36+ SDK auth works
Jmacek May 21, 2026
7cc2c57
config: drop dual-write, replace 'authorization' with 'BearerToken'
Jmacek May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions kubernetes/base/config/incluster_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ def _set_config(self, client_configuration):
client_configuration.ssl_ca_cert = self.ssl_ca_cert
if self.token is not None:
client_configuration.api_key['authorization'] = self.token
client_configuration.api_key['BearerToken'] = self.token
Copy link
Copy Markdown

@faust64 faust64 May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to have 2 configurations with that same token?
Either one or the other would be fine. It has to be consistent everywhere.

Do we know why that BearerToken was introduced? What was the intention?

Copy link
Copy Markdown
Member

@roycaihw roycaihw May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is related https://github.com/kubernetes-client/python/blob/master/CHANGELOG.md#breaking-change-from-upgrading-openapi-generator-to-v660. It was introduced in upstream client generator. Same question here. I think upstream did a replacement, rather than keeping both. cc @yliaog

Copy link
Copy Markdown
Contributor Author

@Jmacek Jmacek May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks both - the original intent of writing both keys was to hedge backward compatibility for any third-party code introspecting api_key['authorization'] directly. But since the rename was already documented as a breaking change in the v6.6.0 generator upgrade, aligning the loaders with that decision is the right call. Switching to a straight replacement.

if not self._try_refresh_token:
return

Expand Down
17 changes: 17 additions & 0 deletions kubernetes/base/config/incluster_config_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,23 @@ def test_refresh_token(self):
self.assertEqual('bearer ' + _TEST_NEW_TOKEN, loader.token)
self.assertGreater(loader.token_expires_at, old_token_expires_at)

def test_load_incluster_sets_request_authorization_header(self):
from kubernetes.client import ApiClient
cert_filename = self._create_file_with_temp_content(_TEST_CERT)
loader = self.get_test_loader(cert_filename=cert_filename)
config = Configuration()
loader.load_and_set(config)

api_client = ApiClient(config)
headers = {}
api_client.update_params_for_auth(headers, [], ['BearerToken'])

self.assertIn('authorization', headers)
self.assertTrue(
headers['authorization'].lower().startswith('bearer '),
"Expected a Bearer authorization header, got: %r"
% headers['authorization'])

def _should_fail_load(self, config_loader, reason):
try:
config_loader.load_and_set()
Expand Down
1 change: 1 addition & 0 deletions kubernetes/base/config/kube_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -528,6 +528,7 @@ def _load_cluster_info(self):
def _set_config(self, client_configuration):
if 'token' in self.__dict__:
client_configuration.api_key['authorization'] = self.token
client_configuration.api_key['BearerToken'] = self.token

def _refresh_api_key(client_configuration):
if ('expiry' in self.__dict__ and _is_expired(self.expiry)):
Expand Down
13 changes: 9 additions & 4 deletions kubernetes/base/config/kube_config_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -370,6 +370,7 @@ def __init__(self, token=None, **kwargs):
self.refresh_api_key_hook = None
if token:
self.api_key['authorization'] = token
self.api_key['BearerToken'] = token

self.__dict__.update(kwargs)

Expand Down Expand Up @@ -1317,7 +1318,8 @@ def test_user_exec_auth(self, mock):
"token": token
}
expected = FakeConfig(host=TEST_HOST, api_key={
"authorization": BEARER_TOKEN_FORMAT % token})
"authorization": BEARER_TOKEN_FORMAT % token,
"BearerToken": BEARER_TOKEN_FORMAT % token})
actual = FakeConfig()
KubeConfigLoader(
config_dict=self.TEST_KUBE_CONFIG,
Expand Down Expand Up @@ -1395,7 +1397,8 @@ def test_user_cmd_path(self):
return_value = A(token, parse_rfc3339(datetime.datetime.now()))
CommandTokenSource.token = mock.Mock(return_value=return_value)
expected = FakeConfig(api_key={
"authorization": BEARER_TOKEN_FORMAT % token})
"authorization": BEARER_TOKEN_FORMAT % token,
"BearerToken": BEARER_TOKEN_FORMAT % token})
actual = FakeConfig()
KubeConfigLoader(
config_dict=self.TEST_KUBE_CONFIG,
Expand All @@ -1408,7 +1411,8 @@ def test_user_cmd_path_empty(self):
return_value = A(token, parse_rfc3339(datetime.datetime.now()))
CommandTokenSource.token = mock.Mock(return_value=return_value)
expected = FakeConfig(api_key={
"authorization": BEARER_TOKEN_FORMAT % token})
"authorization": BEARER_TOKEN_FORMAT % token,
"BearerToken": BEARER_TOKEN_FORMAT % token})
actual = FakeConfig()
self.expect_exception(lambda: KubeConfigLoader(
config_dict=self.TEST_KUBE_CONFIG,
Expand All @@ -1422,7 +1426,8 @@ def test_user_cmd_path_with_scope(self):
return_value = A(token, parse_rfc3339(datetime.datetime.now()))
CommandTokenSource.token = mock.Mock(return_value=return_value)
expected = FakeConfig(api_key={
"authorization": BEARER_TOKEN_FORMAT % token})
"authorization": BEARER_TOKEN_FORMAT % token,
"BearerToken": BEARER_TOKEN_FORMAT % token})
actual = FakeConfig()
self.expect_exception(lambda: KubeConfigLoader(
config_dict=self.TEST_KUBE_CONFIG,
Expand Down
1 change: 1 addition & 0 deletions kubernetes_asyncio/config/incluster_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ def _set_config(self, client_configuration):
client_configuration.ssl_ca_cert = self.ssl_ca_cert
if self.token is not None:
client_configuration.api_key['authorization'] = self.token
client_configuration.api_key['BearerToken'] = self.token
if not self._try_refresh_token:
return

Expand Down