From 5a8b6a592c0e5f1c49a47e60255d1a87b3ab28b6 Mon Sep 17 00:00:00 2001 From: HaimLC <110099998+HaimLC@users.noreply.github.com> Date: Thu, 2 Jul 2026 11:58:11 +0300 Subject: [PATCH] Apply alias fallback to prefix lookup in get_api_key_with_prefix PR 2604 restored the api_key['authorization'] fallback in auth_settings() by calling get_api_key_with_prefix('BearerToken', alias='authorization'), but get_api_key_with_prefix only applied `alias` to the api_key lookup, not the api_key_prefix lookup. Callers that set the prefix under the legacy 'authorization' key (rather than embedding "Bearer " directly in the token) get a bearer token with no "Bearer " prefix, which most API servers (and GKE's anonymous-auth fallback) don't recognize as a valid Authorization header -> system:anonymous. Apply the same alias fallback to the prefix lookup, symmetrically in the sync (kubernetes/client/configuration.py) and async (kubernetes/aio/client/configuration.py) variants, matching the pattern PR 2604 already established for the key lookup. See https://github.com/kubernetes-client/python/issues/2592 Signed-off-by: HaimLC <110099998+HaimLC@users.noreply.github.com> --- kubernetes/aio/client/configuration.py | 3 ++- kubernetes/client/configuration.py | 3 ++- kubernetes/test/test_api_client.py | 11 +++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/kubernetes/aio/client/configuration.py b/kubernetes/aio/client/configuration.py index f1cedb7c0e..1f92834fbb 100644 --- a/kubernetes/aio/client/configuration.py +++ b/kubernetes/aio/client/configuration.py @@ -388,7 +388,8 @@ async def get_api_key_with_prefix(self, identifier, alias=None): await result key = self.api_key.get(identifier, self.api_key.get(alias) if alias is not None else None) if key: - prefix = self.api_key_prefix.get(identifier) + prefix = self.api_key_prefix.get( + identifier, self.api_key_prefix.get(alias) if alias is not None else None) if prefix: return "%s %s" % (prefix, key) else: diff --git a/kubernetes/client/configuration.py b/kubernetes/client/configuration.py index d113df1e69..61676067a8 100644 --- a/kubernetes/client/configuration.py +++ b/kubernetes/client/configuration.py @@ -379,7 +379,8 @@ def get_api_key_with_prefix(self, identifier, alias=None): self.refresh_api_key_hook(self) key = self.api_key.get(identifier, self.api_key.get(alias) if alias is not None else None) if key: - prefix = self.api_key_prefix.get(identifier) + prefix = self.api_key_prefix.get( + identifier, self.api_key_prefix.get(alias) if alias is not None else None) if prefix: return "%s %s" % (prefix, key) else: diff --git a/kubernetes/test/test_api_client.py b/kubernetes/test/test_api_client.py index 9a7789fd1a..f79b59d05e 100644 --- a/kubernetes/test/test_api_client.py +++ b/kubernetes/test/test_api_client.py @@ -120,3 +120,14 @@ def test_auth_settings_with_no_token(self): """No api_key entry yields an empty auth dict.""" config = Configuration() self.assertEqual(config.auth_settings(), {}) + + def test_auth_settings_with_authorization_key_and_prefix(self): + """Legacy callers that split the token and prefix across + api_key['authorization'] and api_key_prefix['authorization'] (rather + than embedding "Bearer " in the token itself) must still get the + prefix applied. https://github.com/kubernetes-client/python/issues/2592 + """ + config = Configuration() + config.api_key['authorization'] = 'abc123' + config.api_key_prefix['authorization'] = 'Bearer' + self.assertEqual(self._bearer_value(config), 'Bearer abc123')