From ee9240fba8d46275c9561484109b238ae225391c Mon Sep 17 00:00:00 2001 From: kramaranya Date: Tue, 7 Jul 2026 12:35:17 +0100 Subject: [PATCH] fix: support kubernetes client v35-v36 token keys Signed-off-by: kramaranya --- mlflow_kubernetes_plugins/auth/authorizer.py | 7 ++-- tests/test_auth.py | 34 ++++++++++++++++++++ 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/mlflow_kubernetes_plugins/auth/authorizer.py b/mlflow_kubernetes_plugins/auth/authorizer.py index c27b3c5..f80eb55 100644 --- a/mlflow_kubernetes_plugins/auth/authorizer.py +++ b/mlflow_kubernetes_plugins/auth/authorizer.py @@ -242,8 +242,11 @@ def _build_api_client_with_token(self, token: str) -> client.ApiClient: configuration.username = None configuration.password = None configuration.refresh_api_key_hook = None - configuration.api_key = {"authorization": token} - configuration.api_key_prefix = {"authorization": "Bearer"} + # Set both legacy ('authorization') and v36+ ('BearerToken') keys. + # kubernetes-client/python still has a compatibility gap across v35-v36 + # for manually constructed Configuration objects; see issues #2592 and PR #2618. + configuration.api_key = {"BearerToken": token, "authorization": token} + configuration.api_key_prefix = {"BearerToken": "Bearer", "authorization": "Bearer"} return client.ApiClient(configuration) def _submit_self_subject_access_review( diff --git a/tests/test_auth.py b/tests/test_auth.py index 9a7c6c6..4165133 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -4216,6 +4216,40 @@ def test_subject_access_review_authorizer_close_is_idempotent(monkeypatch): fake_client.close.assert_called_once() +def test_build_api_client_with_token_sets_both_bearer_keys(): + """Verify _build_api_client_with_token sets both 'BearerToken' and 'authorization' + api_key entries for compatibility across kubernetes client v35-v36+. + + See https://github.com/kubernetes-client/python/issues/2592 + """ + from kubernetes import client + + base_conf = client.Configuration() + base_conf.host = "https://localhost:6443" + base_conf.ssl_ca_cert = None + base_conf.verify_ssl = False + + authorizer = KubernetesAuthorizer( + KubernetesAuthConfig(authorization_mode=AuthorizationMode.SELF_SUBJECT_ACCESS_REVIEW) + ) + authorizer._base_configuration = base_conf + + token = "test-token-value" + api_client = authorizer._build_api_client_with_token(token) + conf = api_client.configuration + + assert "BearerToken" in conf.api_key, "missing BearerToken api_key (needed for k8s client v36+)" + assert "authorization" in conf.api_key, "missing authorization api_key (needed for k8s client v35)" + assert conf.api_key["BearerToken"] == token + assert conf.api_key["authorization"] == token + assert conf.api_key_prefix["BearerToken"] == "Bearer" + assert conf.api_key_prefix["authorization"] == "Bearer" + + auth = conf.auth_settings() + assert "BearerToken" in auth, "auth_settings() must resolve a BearerToken entry" + assert auth["BearerToken"]["value"] == f"Bearer {token}" + + def test_normalize_rules_single_rule(): rule = AuthorizationRule("get", resource=RESOURCE_EXPERIMENTS) assert _normalize_rules(rule) == [rule]