Restore bearer-token fallback in Configuration.auth_settings()

Prior to v36.0.0 the generated client stored the bearer token under
api_key['authorization']. v36.0.0 switched the lookup to
api_key['BearerToken'] without a fallback, which silently dropped the
Authorization header from every outgoing request when callers (or the
load_kube_config path in v36.0.0) still wrote the token under
'authorization'. The result was 401 Unauthorized against every cluster
that relied on bearer-token auth, observable on both REST calls and
WebSocket exec.

Restore the legacy lookup as a fallback in auth_settings(): if
'BearerToken' is absent but 'authorization' is set, route the lookup
through get_api_key_with_prefix(..., alias='authorization') so the
existing 'authorization' key is honored. 'BearerToken' continues to
take precedence when both are set, so the new behavior is unchanged
for new code.

Applies symmetrically to kubernetes.client.configuration and
kubernetes.aio.client.configuration.

Fixes #2595

Signed-off-by: Gaurav Galiyawala <galiyawalagaurav@gmail.com>

Author: GK-07

kubernetes/aio/client/configuration.py

@@ -415,13 +415,19 @@ async def auth_settings(self):
         :return: The Auth Settings information dict.
         """
         auth = {}
-        if 'BearerToken' in self.api_key:
+        # Backward compatibility: prior to v36.0.0 the bearer token was
+        # stored under the 'authorization' api_key. Continue to honor it
+        # so user code that sets ``config.api_key['authorization']``
+        # directly keeps working with the new 'BearerToken' key the
+        # generated client now looks for.
+        # See: https://github.com/kubernetes-client/python/issues/2595
+        if 'BearerToken' in self.api_key or 'authorization' in self.api_key:
             auth['BearerToken'] = {
                 'type': 'api_key',
                 'in': 'header',
                 'key': 'authorization',
                 'value': await self.get_api_key_with_prefix(
-                    'BearerToken',
+                    'BearerToken', alias='authorization',
                 ),
             }
         return auth

kubernetes/client/configuration.py

@@ -406,13 +406,19 @@ def auth_settings(self):
         :return: The Auth Settings information dict.
         """
         auth = {}
-        if 'BearerToken' in self.api_key:
+        # Backward compatibility: prior to v36.0.0 the bearer token was
+        # stored under the 'authorization' api_key. Continue to honor it
+        # so user code that sets ``config.api_key['authorization']``
+        # directly keeps working with the new 'BearerToken' key the
+        # generated client now looks for.
+        # See: https://github.com/kubernetes-client/python/issues/2595
+        if 'BearerToken' in self.api_key or 'authorization' in self.api_key:
             auth['BearerToken'] = {
                 'type': 'api_key',
                 'in': 'header',
                 'key': 'authorization',
                 'value': self.get_api_key_with_prefix(
-                    'BearerToken',
+                    'BearerToken', alias='authorization',
                 ),
             }
         return auth

kubernetes/test/test_api_client.py

@@ -78,3 +78,45 @@ def test_rest_proxycare(self):
             # test
             client = kubernetes.client.ApiClient(configuration=config)
             self.assertEqual( expected_pool, type(client.rest_client.pool_manager) )
+
+
+class TestConfigurationAuthSettings(unittest.TestCase):
+    """Regression tests for Configuration.auth_settings() bearer-token lookup.
+
+    Prior to v36.0.0 the generated client stored the bearer token under
+    ``api_key['authorization']`` (e.g. set by ``load_kube_config`` or by
+    user code directly). v36.0.0 switched the lookup to
+    ``api_key['BearerToken']`` without a fallback, which silently dropped
+    the Authorization header from every outgoing request and caused 401
+    Unauthorized against any cluster relying on bearer tokens.
+    See: https://github.com/kubernetes-client/python/issues/2595
+    """
+
+    def _bearer_value(self, config):
+        settings = config.auth_settings()
+        self.assertIn('BearerToken', settings)
+        return settings['BearerToken']['value']
+
+    def test_auth_settings_with_bearer_token_key(self):
+        """The new key 'BearerToken' continues to work."""
+        config = Configuration()
+        config.api_key['BearerToken'] = 'Bearer abc123'
+        self.assertEqual(self._bearer_value(config), 'Bearer abc123')
+
+    def test_auth_settings_with_authorization_key(self):
+        """Legacy key 'authorization' is honored as a fallback."""
+        config = Configuration()
+        config.api_key['authorization'] = 'Bearer abc123'
+        self.assertEqual(self._bearer_value(config), 'Bearer abc123')
+
+    def test_auth_settings_bearer_token_takes_precedence(self):
+        """When both keys are set, 'BearerToken' wins."""
+        config = Configuration()
+        config.api_key['BearerToken'] = 'Bearer new'
+        config.api_key['authorization'] = 'Bearer old'
+        self.assertEqual(self._bearer_value(config), 'Bearer new')
+
+    def test_auth_settings_with_no_token(self):
+        """No api_key entry yields an empty auth dict."""
+        config = Configuration()
+        self.assertEqual(config.auth_settings(), {})