config: write api_key['BearerToken'] so v36+ SDK auth works

jmacek · jmacek · commit 322667b48076 · 2026-05-21T10:11:55.000-07:00
v36 rewrote Configuration.auth_settings() to look up the bearer-token
credential under api_key['BearerToken'], matching the OpenAPI security
scheme name. The in-cluster and kubeconfig loaders were not updated -
they still write api_key['authorization'], the v35 lookup key.

As a result, on v36 every call to load_incluster_config() (and
load_kube_config() with a static token) produces a Configuration whose
auth_settings() yields no bearer credential, so outgoing API requests
are sent without an Authorization header and the apiserver treats them
as system:anonymous.

Write the token under both 'authorization' (v35) and 'BearerToken'
(v36+) so requests carry the expected header on either SDK release line.

Add a regression test in incluster_config_test that drives a real
ApiClient.update_params_for_auth() against a freshly-loaded
Configuration and asserts the resulting headers contain an Authorization
entry - the end-to-end invariant that v36 quietly broke.
diff --git a/kubernetes/base/config/incluster_config.py b/kubernetes/base/config/incluster_config.py
@@ -89,6 +89,7 @@ def _set_config(self, client_configuration):
         client_configuration.ssl_ca_cert = self.ssl_ca_cert
         if self.token is not None:
             client_configuration.api_key['authorization'] = self.token
+            client_configuration.api_key['BearerToken'] = self.token
         if not self._try_refresh_token:
             return
 
diff --git a/kubernetes/base/config/incluster_config_test.py b/kubernetes/base/config/incluster_config_test.py
@@ -108,6 +108,23 @@ def test_refresh_token(self):
         self.assertEqual('bearer ' + _TEST_NEW_TOKEN, loader.token)
         self.assertGreater(loader.token_expires_at, old_token_expires_at)
 
+    def test_load_incluster_sets_request_authorization_header(self):
+        from kubernetes.client import ApiClient
+        cert_filename = self._create_file_with_temp_content(_TEST_CERT)
+        loader = self.get_test_loader(cert_filename=cert_filename)
+        config = Configuration()
+        loader.load_and_set(config)
+
+        api_client = ApiClient(config)
+        headers = {}
+        api_client.update_params_for_auth(headers, [], ['BearerToken'])
+
+        self.assertIn('authorization', headers)
+        self.assertTrue(
+            headers['authorization'].lower().startswith('bearer '),
+            "Expected a Bearer authorization header, got: %r"
+            % headers['authorization'])
+
     def _should_fail_load(self, config_loader, reason):
         try:
             config_loader.load_and_set()
diff --git a/kubernetes/base/config/kube_config.py b/kubernetes/base/config/kube_config.py
@@ -528,6 +528,7 @@ def _load_cluster_info(self):
     def _set_config(self, client_configuration):
         if 'token' in self.__dict__:
             client_configuration.api_key['authorization'] = self.token
+            client_configuration.api_key['BearerToken'] = self.token
 
             def _refresh_api_key(client_configuration):
                 if ('expiry' in self.__dict__ and _is_expired(self.expiry)):
diff --git a/kubernetes/base/config/kube_config_test.py b/kubernetes/base/config/kube_config_test.py
@@ -370,6 +370,7 @@ def __init__(self, token=None, **kwargs):
         self.refresh_api_key_hook = None
         if token:
             self.api_key['authorization'] = token
+            self.api_key['BearerToken'] = token
 
         self.__dict__.update(kwargs)
 
@@ -1317,7 +1318,8 @@ def test_user_exec_auth(self, mock):
             "token": token
         }
         expected = FakeConfig(host=TEST_HOST, api_key={
-                              "authorization": BEARER_TOKEN_FORMAT % token})
+                              "authorization": BEARER_TOKEN_FORMAT % token,
+                              "BearerToken": BEARER_TOKEN_FORMAT % token})
         actual = FakeConfig()
         KubeConfigLoader(
             config_dict=self.TEST_KUBE_CONFIG,
@@ -1395,7 +1397,8 @@ def test_user_cmd_path(self):
         return_value = A(token, parse_rfc3339(datetime.datetime.now()))
         CommandTokenSource.token = mock.Mock(return_value=return_value)
         expected = FakeConfig(api_key={
-                              "authorization": BEARER_TOKEN_FORMAT % token})
+                              "authorization": BEARER_TOKEN_FORMAT % token,
+                              "BearerToken": BEARER_TOKEN_FORMAT % token})
         actual = FakeConfig()
         KubeConfigLoader(
             config_dict=self.TEST_KUBE_CONFIG,
@@ -1408,7 +1411,8 @@ def test_user_cmd_path_empty(self):
         return_value = A(token, parse_rfc3339(datetime.datetime.now()))
         CommandTokenSource.token = mock.Mock(return_value=return_value)
         expected = FakeConfig(api_key={
-                              "authorization": BEARER_TOKEN_FORMAT % token})
+                              "authorization": BEARER_TOKEN_FORMAT % token,
+                              "BearerToken": BEARER_TOKEN_FORMAT % token})
         actual = FakeConfig()
         self.expect_exception(lambda: KubeConfigLoader(
             config_dict=self.TEST_KUBE_CONFIG,
@@ -1422,7 +1426,8 @@ def test_user_cmd_path_with_scope(self):
         return_value = A(token, parse_rfc3339(datetime.datetime.now()))
         CommandTokenSource.token = mock.Mock(return_value=return_value)
         expected = FakeConfig(api_key={
-                              "authorization": BEARER_TOKEN_FORMAT % token})
+                              "authorization": BEARER_TOKEN_FORMAT % token,
+                              "BearerToken": BEARER_TOKEN_FORMAT % token})
         actual = FakeConfig()
         self.expect_exception(lambda: KubeConfigLoader(
             config_dict=self.TEST_KUBE_CONFIG,
