feat(auth)!: use generic kubernetes-authorization header

manusa · web-flow · commit 6da90015a11b · 2025-06-05T12:22:07.000+02:00
diff --git a/pkg/kubernetes/kubernetes.go b/pkg/kubernetes/kubernetes.go
@@ -19,11 +19,11 @@ import (
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/klog/v2"
 	"sigs.k8s.io/yaml"
+	"strings"
 )
 
 const (
-	AuthorizationHeader            = "Kubernetes-Authorization"
-	AuthorizationBearerTokenHeader = "kubernetes-authorization-bearer-token"
+	AuthorizationHeader = "kubernetes-authorization"
 )
 
 type CloseWatchKubeConfig func() error
@@ -125,13 +125,13 @@ func (k *Kubernetes) ToRESTMapper() (meta.RESTMapper, error) {
 }
 
 func (k *Kubernetes) Derived(ctx context.Context) *Kubernetes {
-	bearerToken, ok := ctx.Value(AuthorizationBearerTokenHeader).(string)
-	if !ok {
+	authorization, ok := ctx.Value(AuthorizationHeader).(string)
+	if !ok || !strings.HasPrefix(authorization, "Bearer ") {
 		return k
 	}
-	klog.V(5).Infof("%s header found, using provided bearer token", AuthorizationBearerTokenHeader)
+	klog.V(5).Infof("%s header found (Bearer), using provided bearer token", AuthorizationHeader)
 	derivedCfg := rest.CopyConfig(k.cfg)
-	derivedCfg.BearerToken = bearerToken
+	derivedCfg.BearerToken = strings.TrimPrefix(authorization, "Bearer ")
 	derivedCfg.BearerTokenFile = ""
 	derivedCfg.Username = ""
 	derivedCfg.Password = ""
diff --git a/pkg/mcp/mcp.go b/pkg/mcp/mcp.go
@@ -109,6 +109,5 @@ func NewTextResult(content string, err error) *mcp.CallToolResult {
 }
 
 func contextFunc(ctx context.Context, r *http.Request) context.Context {
-	//return context.WithValue(ctx, kubernetes.AuthorizationHeader, r.Header.Get(kubernetes.AuthorizationHeader))
-	return context.WithValue(ctx, kubernetes.AuthorizationBearerTokenHeader, r.Header.Get(kubernetes.AuthorizationBearerTokenHeader))
+	return context.WithValue(ctx, kubernetes.AuthorizationHeader, r.Header.Get(kubernetes.AuthorizationHeader))
 }
diff --git a/pkg/mcp/mcp_test.go b/pkg/mcp/mcp_test.go
@@ -96,7 +96,7 @@ func TestSseHeaders(t *testing.T) {
 	defer mockServer.Close()
 	before := func(c *mcpContext) {
 		c.withKubeConfig(mockServer.config)
-		c.clientOptions = append(c.clientOptions, client.WithHeaders(map[string]string{"kubernetes-authorization-bearer-token": "a-token-from-mcp-client"}))
+		c.clientOptions = append(c.clientOptions, client.WithHeaders(map[string]string{"kubernetes-authorization": "Bearer a-token-from-mcp-client"}))
 	}
 	pathHeaders := make(map[string]http.Header, 0)
 	mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {

Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,5 @@ func NewTextResult(content string, err error) *mcp.CallToolResult {`
`109`	`109`	`}`
`110`	`110`
`111`	`111`	`func contextFunc(ctx context.Context, r *http.Request) context.Context {`
`112`		`- //return context.WithValue(ctx, kubernetes.AuthorizationHeader, r.Header.Get(kubernetes.AuthorizationHeader))`
`113`		`- return context.WithValue(ctx, kubernetes.AuthorizationBearerTokenHeader, r.Header.Get(kubernetes.AuthorizationBearerTokenHeader))`
	`112`	`+ return context.WithValue(ctx, kubernetes.AuthorizationHeader, r.Header.Get(kubernetes.AuthorizationHeader))`
`114`	`113`	`}`
Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ func TestSseHeaders(t *testing.T) {`
`96`	`96`	`defer mockServer.Close()`
`97`	`97`	`before := func(c *mcpContext) {`
`98`	`98`	`c.withKubeConfig(mockServer.config)`
`99`		`- c.clientOptions = append(c.clientOptions, client.WithHeaders(map[string]string{"kubernetes-authorization-bearer-token": "a-token-from-mcp-client"}))`
	`99`	`+ c.clientOptions = append(c.clientOptions, client.WithHeaders(map[string]string{"kubernetes-authorization": "Bearer a-token-from-mcp-client"}))`
`100`	`100`	`}`
`101`	`101`	`pathHeaders := make(map[string]http.Header, 0)`
`102`	`102`	`mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {`