Skip to content

config: write api_key['BearerToken'] so v36+ SDK auth works #2585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
k8s-ci-robot merged 2 commits into from
May 21, 2026
Merged

config: write api_key['BearerToken'] so v36+ SDK auth works #2585

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c3608a4
config: write api_key['BearerToken'] so v36+ SDK auth works
Jmacek May 21, 2026
7cc2c57
config: drop dual-write, replace 'authorization' with 'BearerToken'
Jmacek May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion kubernetes/base/config/incluster_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ def _set_config(self, client_configuration):
client_configuration.host = self.host
client_configuration.ssl_ca_cert = self.ssl_ca_cert
if self.token is not None:
client_configuration.api_key['authorization'] = self.token
client_configuration.api_key['BearerToken'] = self.token
Copy link
Copy Markdown

@faust64 faust64 May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to have 2 configurations with that same token?
Either one or the other would be fine. It has to be consistent everywhere.

Do we know why that BearerToken was introduced? What was the intention?

Copy link
Copy Markdown
Member

@roycaihw roycaihw May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is related https://github.com/kubernetes-client/python/blob/master/CHANGELOG.md#breaking-change-from-upgrading-openapi-generator-to-v660. It was introduced in upstream client generator. Same question here. I think upstream did a replacement, rather than keeping both. cc @yliaog

Copy link
Copy Markdown
Contributor Author

@Jmacek Jmacek May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks both - the original intent of writing both keys was to hedge backward compatibility for any third-party code introspecting api_key['authorization'] directly. But since the rename was already documented as a breaking change in the v6.6.0 generator upgrade, aligning the loaders with that decision is the right call. Switching to a straight replacement.

if not self._try_refresh_token:
return

Expand Down
23 changes: 20 additions & 3 deletions kubernetes/base/config/incluster_config_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ def test_refresh_token(self):
loader.load_and_set(config)

self.assertEqual('bearer ' + _TEST_TOKEN,
config.get_api_key_with_prefix('authorization'))
config.get_api_key_with_prefix('BearerToken'))
self.assertEqual('bearer ' + _TEST_TOKEN, loader.token)
self.assertIsNotNone(loader.token_expires_at)

Expand All @@ -100,14 +100,31 @@ def test_refresh_token(self):
loader._token_filename = self._create_file_with_temp_content(
_TEST_NEW_TOKEN)
self.assertEqual('bearer ' + _TEST_TOKEN,
config.get_api_key_with_prefix('authorization'))
config.get_api_key_with_prefix('BearerToken'))

loader.token_expires_at = datetime.datetime.now()
self.assertEqual('bearer ' + _TEST_NEW_TOKEN,
config.get_api_key_with_prefix('authorization'))
config.get_api_key_with_prefix('BearerToken'))
self.assertEqual('bearer ' + _TEST_NEW_TOKEN, loader.token)
self.assertGreater(loader.token_expires_at, old_token_expires_at)

def test_load_incluster_sets_request_authorization_header(self):
from kubernetes.client import ApiClient
cert_filename = self._create_file_with_temp_content(_TEST_CERT)
loader = self.get_test_loader(cert_filename=cert_filename)
config = Configuration()
loader.load_and_set(config)

api_client = ApiClient(config)
headers = {}
api_client.update_params_for_auth(headers, [], ['BearerToken'])

self.assertIn('authorization', headers)
self.assertTrue(
headers['authorization'].lower().startswith('bearer '),
"Expected a Bearer authorization header, got: %r"
% headers['authorization'])

def _should_fail_load(self, config_loader, reason):
try:
config_loader.load_and_set()
Expand Down
2 changes: 1 addition & 1 deletion kubernetes/base/config/kube_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -527,7 +527,7 @@ def _load_cluster_info(self):

def _set_config(self, client_configuration):
if 'token' in self.__dict__:
client_configuration.api_key['authorization'] = self.token
client_configuration.api_key['BearerToken'] = self.token

def _refresh_api_key(client_configuration):
if ('expiry' in self.__dict__ and _is_expired(self.expiry)):
Expand Down
24 changes: 12 additions & 12 deletions kubernetes/base/config/kube_config_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -369,7 +369,7 @@ def __init__(self, token=None, **kwargs):
# Provided by the OpenAPI-generated Configuration class
self.refresh_api_key_hook = None
if token:
self.api_key['authorization'] = token
self.api_key['BearerToken'] = token

self.__dict__.update(kwargs)

Expand Down Expand Up @@ -905,7 +905,7 @@ def test_gcp_no_refresh(self):
self.assertIsNotNone(fake_config.refresh_api_key_hook)
self.assertEqual(TEST_HOST, fake_config.host)
self.assertEqual(BEARER_TOKEN_FORMAT % TEST_DATA_BASE64,
fake_config.api_key['authorization'])
fake_config.api_key['BearerToken'])

def test_load_gcp_token_no_refresh(self):
loader = KubeConfigLoader(
Expand Down Expand Up @@ -1283,14 +1283,14 @@ def test_new_client_from_config(self):
config_file=config_file, context="simple_token")
self.assertEqual(TEST_HOST, client.configuration.host)
self.assertEqual(BEARER_TOKEN_FORMAT % TEST_DATA_BASE64,
client.configuration.api_key['authorization'])
client.configuration.api_key['BearerToken'])

def test_new_client_from_config_dict(self):
client = new_client_from_config_dict(
config_dict=self.TEST_KUBE_CONFIG, context="simple_token")
self.assertEqual(TEST_HOST, client.configuration.host)
self.assertEqual(BEARER_TOKEN_FORMAT % TEST_DATA_BASE64,
client.configuration.api_key['authorization'])
client.configuration.api_key['BearerToken'])

def test_no_users_section(self):
expected = FakeConfig(host=TEST_HOST)
Expand All @@ -1317,7 +1317,7 @@ def test_user_exec_auth(self, mock):
"token": token
}
expected = FakeConfig(host=TEST_HOST, api_key={
"authorization": BEARER_TOKEN_FORMAT % token})
"BearerToken": BEARER_TOKEN_FORMAT % token})
actual = FakeConfig()
KubeConfigLoader(
config_dict=self.TEST_KUBE_CONFIG,
Expand Down Expand Up @@ -1347,13 +1347,13 @@ def test_user_exec_auth_with_expiry(self, mock):
active_context="exec_cred_user").load_and_set(fake_config)
# The kube config should use the first token returned from the
# exec provider.
self.assertEqual(fake_config.api_key["authorization"],
self.assertEqual(fake_config.api_key["BearerToken"],
BEARER_TOKEN_FORMAT % expired_token)
# Should now be populated with a method to refresh expired tokens.
self.assertIsNotNone(fake_config.refresh_api_key_hook)
# Refresh the token; the kube config should be updated.
fake_config.refresh_api_key_hook(fake_config)
self.assertEqual(fake_config.api_key["authorization"],
self.assertEqual(fake_config.api_key["BearerToken"],
BEARER_TOKEN_FORMAT % current_token)

@mock.patch('kubernetes.config.kube_config.ExecProvider.run')
Expand Down Expand Up @@ -1395,7 +1395,7 @@ def test_user_cmd_path(self):
return_value = A(token, parse_rfc3339(datetime.datetime.now()))
CommandTokenSource.token = mock.Mock(return_value=return_value)
expected = FakeConfig(api_key={
"authorization": BEARER_TOKEN_FORMAT % token})
"BearerToken": BEARER_TOKEN_FORMAT % token})
actual = FakeConfig()
KubeConfigLoader(
config_dict=self.TEST_KUBE_CONFIG,
Expand All @@ -1408,7 +1408,7 @@ def test_user_cmd_path_empty(self):
return_value = A(token, parse_rfc3339(datetime.datetime.now()))
CommandTokenSource.token = mock.Mock(return_value=return_value)
expected = FakeConfig(api_key={
"authorization": BEARER_TOKEN_FORMAT % token})
"BearerToken": BEARER_TOKEN_FORMAT % token})
actual = FakeConfig()
self.expect_exception(lambda: KubeConfigLoader(
config_dict=self.TEST_KUBE_CONFIG,
Expand All @@ -1422,7 +1422,7 @@ def test_user_cmd_path_with_scope(self):
return_value = A(token, parse_rfc3339(datetime.datetime.now()))
CommandTokenSource.token = mock.Mock(return_value=return_value)
expected = FakeConfig(api_key={
"authorization": BEARER_TOKEN_FORMAT % token})
"BearerToken": BEARER_TOKEN_FORMAT % token})
actual = FakeConfig()
self.expect_exception(lambda: KubeConfigLoader(
config_dict=self.TEST_KUBE_CONFIG,
Expand Down Expand Up @@ -1723,7 +1723,7 @@ def test_new_client_from_config(self):
config_file=kubeconfigs, context="simple_token")
self.assertEqual(TEST_HOST, client.configuration.host)
self.assertEqual(BEARER_TOKEN_FORMAT % TEST_DATA_BASE64,
client.configuration.api_key['authorization'])
client.configuration.api_key['BearerToken'])

def test_merge_with_context_in_different_file(self):
kubeconfigs = self._create_multi_config(self.TEST_KUBE_CONFIG_SET2)
Expand All @@ -1739,7 +1739,7 @@ def test_merge_with_context_in_different_file(self):
self.assertEqual(active_context, expected_contexts[0])
self.assertEqual(TEST_HOST, client.configuration.host)
self.assertEqual(BEARER_TOKEN_FORMAT % TEST_DATA_BASE64,
client.configuration.api_key['authorization'])
client.configuration.api_key['BearerToken'])

def test_save_changes(self):
kubeconfigs = self._create_multi_config(self.TEST_KUBE_CONFIG_SET1)
Expand Down
2 changes: 1 addition & 1 deletion kubernetes_asyncio/config/incluster_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ def _set_config(self, client_configuration):
client_configuration.host = self.host
client_configuration.ssl_ca_cert = self.ssl_ca_cert
if self.token is not None:
client_configuration.api_key['authorization'] = self.token
client_configuration.api_key['BearerToken'] = self.token
if not self._try_refresh_token:
return

Expand Down
6 changes: 3 additions & 3 deletions kubernetes_asyncio/config/incluster_config_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ async def test_refresh_token(self):
loader.load_and_set(config)

self.assertEqual('bearer ' + _TEST_TOKEN,
await config.get_api_key_with_prefix('authorization'))
await config.get_api_key_with_prefix('BearerToken'))
self.assertEqual('bearer ' + _TEST_TOKEN, loader.token)
self.assertIsNotNone(loader.token_expires_at)

Expand All @@ -100,11 +100,11 @@ async def test_refresh_token(self):
loader._token_filename = self._create_file_with_temp_content(
_TEST_NEW_TOKEN)
self.assertEqual('bearer ' + _TEST_TOKEN,
await config.get_api_key_with_prefix('authorization'))
await config.get_api_key_with_prefix('BearerToken'))

loader.token_expires_at = datetime.datetime.now()
self.assertEqual('bearer ' + _TEST_NEW_TOKEN,
await config.get_api_key_with_prefix('authorization'))
await config.get_api_key_with_prefix('BearerToken'))
self.assertEqual('bearer ' + _TEST_NEW_TOKEN, loader.token)
self.assertGreater(loader.token_expires_at, old_token_expires_at)

Expand Down