kubeclient 4.9.1 → 4.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1ea191875dc5c9e99d49152f6615caa50478bc8604a4de9c6fdda0d46da75ea5
-  data.tar.gz: 84214e5b1f2f3116aeb646828e0a5cf6456173493abf1fb384fe6132a723271d
+  metadata.gz: 21e5de1343a8f393c8eef653af1bb41e061bbee7fafa5d8cedafe8c163653071
+  data.tar.gz: aebdf094e7b05239467c8120382e47b65c82e031092cfc728b605f158257800a
 SHA512:
-  metadata.gz: 549974ed0fbec82aa99df19db4829af4da21eec3ab037037c9a6880ab2b7f0bbf9a854ee9e1713a9eedccf6e7fafbc593301a8e67b745e54d88f9da158f6b596
-  data.tar.gz: 2f44720eca3c585e69c562b218f6e17c1ed0fb13dd5e26177fef6fa3ec610a6c0b1f056102ac3d3e3d9cf21801fe13d8560c509423838304cac0a40b66eedae8
+  metadata.gz: 161d8585521513897f730c0c1ab5f060634533cff048e146819dfa5c93e60afbdb67a4ed314245d61e343f7eca891454b2022e4ed9ced0117d518a8c2eb78ffa
+  data.tar.gz: 7f42460a4528177faccc81526ffc0904a5a7cc89ac56013fe99c208b6ab6cc2e7f289e1a654cb67f5f85985ffcd98af4b9e93b49cd052963d4d333697f50a7d5

data/.github/workflows/actions.yml

@@ -0,0 +1,43 @@
+name: CI
+on:
+  push:
+    branches:
+    - '**'
+    tags:
+    - '**'
+  pull_request:
+    branches:
+    - '**'
+jobs:
+  build:
+    continue-on-error: true
+    runs-on: ${{ matrix.os_and_command.os }}
+    strategy:
+      matrix:
+        ruby: [ '2.7', '3.0', '3.1', '3.2', 'ruby-head', 'truffleruby-head' ]
+        os_and_command:
+        - os: macos-latest
+          command: 'env TESTOPTS="--verbose" bundle exec rake test'
+        - os: windows-latest
+          command: 'env TESTOPTS="--verbose" bundle exec rake test'
+        - os: ubuntu-latest
+          # Sometimes minitest starts and then just hangs printing nothing.
+          # Github by default kills after 6hours(!). Hopefully SIGTERM may let it print some details?
+          command: 'timeout --signal=TERM 3m env TESTOPTS="--verbose" test/config/update_certs_k0s.rb'
+        include:
+        # run rubocop against lowest supported ruby
+        - os: ubuntu-latest
+          ruby: '2.7'
+          command: 'bundle exec rake rubocop'
+    name: ${{ matrix.os_and_command.os }} ${{ matrix.ruby }} rake ${{ matrix.os_and_command.command }}
+    steps:
+    - uses: actions/checkout@v4
+    # actions/setup-ruby did not support truffle or bundler caching
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: false # disable running 'bundle install' and caching installed gems see https://github.com/httprb/http/issues/572
+    - run: bundle install
+    - run: ${{ matrix.os_and_command.command }}
+    timeout-minutes: 10
+

data/.rubocop.yml

@@ -1,35 +1,132 @@
 AllCops:
   DisplayCopNames: true
-  TargetRubyVersion: 2.2 # Oldest version kubeclient supports
+  TargetRubyVersion: 2.7 # Oldest version kubeclient supports
 MethodLength:
   Enabled: false
 ClassLength:
   Enabled: false
 Metrics/AbcSize:
   Enabled: false
-Metrics/LineLength:
-  Max: 100
 Metrics/ParameterLists:
   Max: 5
   CountKeywordArgs: false
-Metrics/CyclomaticComplexity:
-  Max: 8
-Metrics/PerceivedComplexity:
-  Max: 8
 Metrics/ModuleLength:
   Enabled: false
-Style/MethodCallWithArgsParentheses:
-  Enabled: true
-  IgnoredMethods: [require, raise, include, attr_reader, refute, assert]
-  Exclude: [Gemfile, Rakefile, kubeclient.gemspec, Gemfile.dev.rb]
 Metrics/BlockLength:
   Exclude: [kubeclient.gemspec]
 Security/MarshalLoad:
   Exclude: [test/**/*]
 Style/FileName:
   Exclude: [Gemfile, Rakefile, Gemfile.dev.rb]
-Style/MethodCallWithArgsParentheses:
-  IgnoredMethods:
-  - require_relative
 Style/RegexpLiteral:
   Enabled: false
+
+# Cops that have active offences in the codebase.
+Lint/RedundantCopDisableDirective:
+  Enabled: false
+Metrics/CyclomaticComplexity:
+  Enabled: false
+  Max: 8
+Metrics/PerceivedComplexity:
+  Enabled: false
+  Max: 8
+Style/MethodCallWithArgsParentheses:
+  Enabled: false
+  IgnoredMethods: [require, require_relative, raise, include, attr_reader, refute, assert]
+  Exclude: [Gemfile, Rakefile, kubeclient.gemspec, Gemfile.dev.rb]
+Style/FrozenStringLiteralComment:
+  Enabled: false
+Lint/UnreachableLoop:
+  Enabled: false
+Style/RedundantRegexpEscape:
+  Enabled: false
+Layout/MultilineMethodCallIndentation:
+  Enabled: false
+Lint/UselessAssignment:
+  Enabled: false
+Style/StringLiterals:
+  Enabled: false
+Layout/ExtraSpacing:
+  Enabled: false
+Layout/IndentationWidth:
+  Enabled: false
+Naming/MethodParameterName:
+  Enabled: false
+Layout/HashAlignment:
+  Enabled: false
+Layout/TrailingWhitespace:
+  Enabled: false
+Naming/RescuedExceptionsVariableName:
+  Enabled: false
+Style/RedundantBegin:
+  Enabled: false
+Style/WordArray:
+  Enabled: false
+Style/ExplicitBlockArgument:
+  Enabled: false
+Layout/LeadingEmptyLines:
+  Enabled: false
+Layout/EmptyLineAfterGuardClause:
+  Enabled: false
+Style/SafeNavigation:
+  Enabled: false
+Style/SoleNestedConditional:
+  Enabled: false
+Lint/MissingSuper:
+  Enabled: false
+Style/IfUnlessModifier:
+  Enabled: false
+Layout/LineLength:
+  Enabled: false
+Lint/MissingCopEnableDirective:
+  Enabled: false
+Naming/MethodName:
+  Enabled: false
+Style/StringConcatenation:
+  Enabled: false
+Style/SlicingWithRange:
+  Enabled: false
+Lint/MixedRegexpCaptureTypes:
+  Enabled: false
+Style/AccessorGrouping:
+  Enabled: false
+Style/HashEachMethods:
+  Enabled: false
+Naming/AccessorMethodName:
+  Enabled: false
+Style/RedundantAssignment:
+  Enabled: false
+Gemspec/OrderedDependencies:
+  Enabled: false
+Style/ExpandPathArguments:
+  Enabled: false
+Style/Encoding:
+  Enabled: false
+
+# New Cops to configure
+Lint/DuplicateBranch: # (new in 1.3)
+  Enabled: false
+Lint/DuplicateRegexpCharacterClassElement: # (new in 1.1)
+  Enabled: false
+Lint/EmptyBlock: # (new in 1.1)
+  Enabled: false
+Lint/EmptyClass: # (new in 1.3)
+  Enabled: false
+Lint/NoReturnInBeginEndBlocks: # (new in 1.2)
+  Enabled: false
+Lint/ToEnumArguments: # (new in 1.1)
+  Enabled: false
+Lint/UnmodifiedReduceAccumulator: # (new in 1.1)
+  Enabled: false
+Style/ArgumentsForwarding: # (new in 1.1)
+  Enabled: false
+Style/CollectionCompact: # (new in 1.2)
+  Enabled: false
+Style/DocumentDynamicEvalDefinition: # (new in 1.1)
+  Enabled: false
+Style/NegatedIfElseCondition: # (new in 1.2)
+  Enabled: false
+Style/NilLambda: # (new in 1.3)
+  Enabled: false
+Style/SwapValues: # (new in 1.1)
+  Enabled: false

data/CHANGELOG.md

@@ -4,6 +4,106 @@ Notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 
+## 4.12.0 - 2024-06-18
+
+### Added
+- Add test coverage for Ruby 3.2 (#615)
+- Allow a region when getting a signer for Aws::Sts (#507)
+- Update the AWS STS endpoint to be regional as the method is now regional (#528)
+- Assume role support for aws eks credentials (#630)
+
+### Fixed
+- [v4.y] Regenerated expired test TLS certs by running `test/config/update_certs_k0s.rb`.
+- [v4.y] Regenerated expired test TLS certs (#611)
+- Regenerated expired test TLS certs (#632)
+
+### Changed
+- Update actions/checkout (#590)
+- chore(deps): update actions/checkout action to v4 (#619)
+
+## 4.11.0 — 2022-12-22
+
+### Removed
+
+- Dropped support for EOL Ruby versions 2.5, 2.6. (#589)
+
+### Added
+
+- Relaxed dependency on `http` gem (used for watches) to allow 5.y.z versions. (#589)
+
+  - Specifically, http 5.1.1 may fix issues watching with IPv6. (#585)
+
+## 4.10.1 — 2022-10-01
+
+### Removed
+
+- Dropped debug logging about bearer token options that was added in 4.10.0. (#577)
+
+## 4.10.0 — 2022-08-29
+
+### Added
+
+- When using `:bearer_token_file`, re-read the file on every request. (#566 closed #561)
+
+  Kubernetes version 1.21 graduated [BoundServiceAccountTokenVolume feature][] to beta
+  and enabled it by default, so standard in-cluster auth now uses short-lived tokens.
+
+  This changes allows a long-lived `Client` object to keep working when the token file gets
+  rotated.  It's not optimized at all, if you feel the performance overhead, please report!
+
+  [BoundServiceAccountTokenVolume feature]: https://github.com/kubernetes/enhancements/issues/542
+
+## 4.9.3 — 2022-03-23
+
+### Fixed
+
+- VULNERABILITY FIX: Previously, whenever kubeconfig did not define custom CA
+  (normal situation for production clusters with public domain and certificate!),
+  `Config` was returning ssl_options[:verify_ssl] hard-coded to `VERIFY_NONE` :-(
+
+  Assuming you passed those ssl_options to Kubeclient::Client, this means that
+  instead of checking server's certificate against your system CA store,
+  it would accept ANY certificate, allowing easy man-in-the middle attacks.
+
+  This is especially dangerous with user/password or token credentials
+  because MITM attacker could simply steal those credentials to the cluster
+  and do anything you could do on the cluster.
+
+  This was broken IN ALL RELEASES MADE BEFORE 2022, ever since
+  [`Kubeclient::Config` was created](https://github.com/ManageIQ/kubeclient/pull/127/files#diff-32e70f2f6781a9e9c7b83ae5e7eaf5ffd068a05649077fa38f6789e72f3de837R41-R48).
+
+  [#554](https://github.com/ManageIQ/kubeclient/issues/554).
+
+- Bug fix: kubeconfig `insecure-skip-tls-verify` field was ignored.
+  When kubeconfig did define custom CA, `Config` was returning hard-coded `VERIFY_PEER`.
+
+  Now we honor it, return `VERIFY_NONE` iff kubeconfig has explicit
+  `insecure-skip-tls-verify: true`, otherwise `VERIFY_PEER`.
+
+  [#555](https://github.com/ManageIQ/kubeclient/issues/555).
+
+- `Config`: fixed parsing of `certificate-authority` file containing concatenation of
+  several certificates.  Previously, server's cert was checked against only first CA cert,
+  resulting in possible "certificate verify failed" errors.
+
+  An important use case is a chain of root & intermediate cert(s) - necessary when cluster's CA
+  itself is signed by another custom CA.
+  But also helps when you simply concatenate independent certs. (#461, #552)
+
+  - Still broken (#460): inline `certificate-authority-data` is still parsed using `add_cert`
+    method that handles only one cert.
+
+These don't affect code that supplies `Client` parameters directly,
+only code that uses `Config`.
+
+## 4.9.2 — 2021-05-30
+
+### Added
+- Ruby 3.0 compatibility (#500, #505).
+
+### Removed
+- Reduce .gem size by dropping test/ directory, it's useless at run time (#502).
+
 ## 4.9.1 — 2020-08-31
 ### Fixed
 - Now should work with apiserver deployed not at root of domain but a sub-path,

data/README.md

@@ -9,6 +9,12 @@ The client supports GET, POST, PUT, DELETE on all the entities available in kube
 The client currently supports Kubernetes REST api version v1.
 To learn more about groups and versions in kubernetes refer to [k8s docs](https://kubernetes.io/docs/api/)
 
+## VULNERABILITY❗
+
+If you use `Kubeclient::Config`, all gem versions released before 2022 could return incorrect `ssl_options[:verify_ssl]`,
+endangering your connection and cluster credentials.
+See https://github.com/ManageIQ/kubeclient/issues/554 for details and which versions got a fix.
+
 ## Installation
 
 Add this line to your application's Gemfile:
@@ -98,8 +104,8 @@ client = Kubeclient::Client.new(
 ### Authentication
 
 If you are using basic authentication or bearer tokens as described
-[here](https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md) then you can specify one
-of the following:
+[here](https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md)
+then you can specify one of the following:
 
 ```ruby
 auth_options = {
@@ -111,7 +117,7 @@ client = Kubeclient::Client.new(
 )
 ```
 
-or
+or (fixed token, if it expires it's up to you to create a new `Client` object):
 
 ```ruby
 auth_options = {
@@ -122,7 +128,7 @@ client = Kubeclient::Client.new(
 )
 ```
 
-or
+or (will automatically re-read the token if file is updated):
 
 ```ruby
 auth_options = {
@@ -307,10 +313,14 @@ require 'aws-sdk-core'
 credentials = Aws::Credentials.new(access_key, secret_key)
 # Or a profile
 credentials = Aws::SharedCredentials.new(profile_name: 'default').credentials
+# Or for an STS Assumed Role Credentials or any other credential Provider other than Static Credentials
+credentials = Aws::AssumeRoleCredentials.new({ client: sts_client, role_arn: role_arn, role_session_name: session_name })
 
+# Kubeclient Auth Options
 auth_options = {
   bearer_token: Kubeclient::AmazonEksCredentials.token(credentials, eks_cluster_name)
 }
+
 client = Kubeclient::Client.new(
   eks_cluster_https_endpoint, 'v1', auth_options: auth_options
 )

data/RELEASING.md

@@ -4,10 +4,6 @@
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 At some point in time it is decided to release version x.y.z.
 
-```bash
-RELEASE_BRANCH="master"
-```
-
 ## 0. (once) Install gem-release, needed for several commands here:
 
 ```bash
@@ -16,13 +12,17 @@ gem install gem-release
 
 ## 1. PR(s) for changelog & bump
 
-Edit `CHANGELOG.md` as necessary.  Even if all included changes remembered to update it, you should replace "Unreleased" section header with appropriate "x.y.z — 20yy-mm-dd" header.
-
-Bump `lib/kubeclient/version.rb` manually, or by using:
 ```bash
+RELEASE_BRANCH="master"
 RELEASE_VERSION=x.y.z
 
 git checkout -b "release-$RELEASE_VERSION" $RELEASE_BRANCH
+```
+
+Edit `CHANGELOG.md` as necessary.  Even if all included changes remembered to update it, you should replace "Unreleased" section header with appropriate "x.y.z — 20yy-mm-dd" header.
+
+Bump `lib/kubeclient/version.rb` manually, or by using:
+```bash
 # Won't work with uncommitted changes, you have to commit the changelog first.
 gem bump --version $RELEASE_VERSION
 git show # View version bump change.
@@ -46,7 +46,7 @@ Make sure we're locally after the bump PR *merge commit*:
 ```bash
 git checkout $RELEASE_BRANCH
 git status # Make sure there are no local changes
-git pull --ff-only https://github.com/abonas/kubeclient $RELEASE_BRANCH
+git pull --ff-only https://github.com/ManageIQ/kubeclient $RELEASE_BRANCH
 git log -n1
 ```
 

data/kubeclient.gemspec

@@ -14,15 +14,16 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/abonas/kubeclient'
   spec.license       = 'MIT'
 
-  spec.files         = `git ls-files -z`.split("\x0")
+  git_files = `git ls-files -z`.split("\x0")
+  spec.files         = git_files.grep_v(%r{^(test|spec|features)/})
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.test_files    = []
   spec.require_paths = ['lib']
-  spec.required_ruby_version = '>= 2.2.0'
+  spec.required_ruby_version = '>= 2.7.0'
 
   spec.add_development_dependency 'bundler', '>= 1.6'
-  spec.add_development_dependency 'rake', '~> 12.0'
-  spec.add_development_dependency 'minitest'
+  spec.add_development_dependency 'rake', '~> 13.0'
+  spec.add_development_dependency 'minitest', '~> 5.15.0'
   spec.add_development_dependency 'minitest-rg'
   spec.add_development_dependency 'webmock', '~> 3.0'
   spec.add_development_dependency 'vcr'
@@ -30,9 +31,12 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'googleauth', '~> 0.5.1'
   spec.add_development_dependency('mocha', '~> 1.5')
   spec.add_development_dependency 'openid_connect', '~> 1.1'
+  spec.add_development_dependency 'net-smtp'
+  # needed on Windows, at least for openid_connect
+  spec.add_development_dependency 'tzinfo-data'
 
   spec.add_dependency 'jsonpath', '~> 1.0'
   spec.add_dependency 'rest-client', '~> 2.0'
   spec.add_dependency 'recursive-open-struct', '~> 1.1', '>= 1.1.1'
-  spec.add_dependency 'http', '>= 3.0', '< 5.0'
+  spec.add_dependency 'http', '>= 3.0', '< 6.0'
 end

data/lib/kubeclient/aws_eks_credentials.rb

@@ -7,7 +7,7 @@ module Kubeclient
     end
 
     class << self
-      def token(credentials, eks_cluster)
+      def token(credentials, eks_cluster, region: 'us-east-1')
         begin
           require 'aws-sigv4'
           require 'base64'
@@ -20,17 +20,26 @@ module Kubeclient
         end
         # https://github.com/aws/aws-sdk-ruby/pull/1848
         # Get a signer
-        # Note - sts only has ONE endpoint (not regional) so 'us-east-1' hardcoding should be OK
-        signer = Aws::Sigv4::Signer.new(
-          service: 'sts',
-          region: 'us-east-1',
-          credentials: credentials
-        )
+        signer = if credentials.respond_to?(:credentials)
+                   Aws::Sigv4::Signer.new(
+                     service: 'sts',
+                     region: region,
+                     credentials_provider: credentials
+                   )
+                 else
+                   Aws::Sigv4::Signer.new(
+                     service: 'sts',
+                     region: region,
+                     credentials: credentials
+                   )
+                 end
+
+        credentials = credentials.credentials if credentials.respond_to?(:credentials)
 
         # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Sigv4/Signer.html#presign_url-instance_method
         presigned_url_string = signer.presign_url(
           http_method: 'GET',
-          url: 'https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15',
+          url: "https://sts.#{region}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15",
           body: '',
           credentials: credentials,
           expires_in: 60,

data/lib/kubeclient/common.rb

@@ -78,7 +78,7 @@ module Kubeclient
       @api_version = version
       @headers = {}
       @ssl_options = ssl_options
-      @auth_options = auth_options
+      @auth_options = auth_options.dup
       @socket_options = socket_options
       # Allow passing partial timeouts hash, without unspecified
       # @timeouts[:foo] == nil resulting in infinite timeout.
@@ -87,11 +87,11 @@ module Kubeclient
       @http_max_redirects = http_max_redirects
       @as = as
 
-      if auth_options[:bearer_token]
-        bearer_token(@auth_options[:bearer_token])
-      elsif auth_options[:bearer_token_file]
+      if auth_options[:bearer_token_file]
         validate_bearer_token_file
         bearer_token(File.read(@auth_options[:bearer_token_file]))
+      elsif auth_options[:bearer_token]
+        bearer_token(@auth_options[:bearer_token])
       end
     end
 
@@ -136,6 +136,11 @@ module Kubeclient
       @discovered = true
     end
 
+    def get_headers
+      bearer_token(File.read(@auth_options[:bearer_token_file])) if @auth_options[:bearer_token_file]
+      @headers
+    end
+
     def self.parse_definition(kind, name)
       # Kubernetes gives us 3 inputs:
       #   kind: "ComponentStatus", "NetworkPolicy", "Endpoints"
@@ -267,8 +272,8 @@ module Kubeclient
           patch_entity(entity.resource_name, name, patch, 'merge-patch', namespace)
         end
 
-        define_singleton_method("apply_#{entity.method_names[0]}") do |*args|
-          apply_entity(entity.resource_name, *args)
+        define_singleton_method("apply_#{entity.method_names[0]}") do |resource, opts = {}|
+          apply_entity(entity.resource_name, resource, **opts)
         end
       end
     end
@@ -349,7 +354,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(options[:namespace])
       response = handle_exception do
         rest_client[ns_prefix + resource_name]
-          .get({ 'params' => params }.merge(@headers))
+          .get({ 'params' => params }.merge(get_headers))
       end
       format_response(options[:as] || @as, response.body, entity_type)
     end
@@ -362,7 +367,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(namespace)
       response = handle_exception do
         rest_client[ns_prefix + resource_name + "/#{name}"]
-          .get(@headers)
+          .get(get_headers)
       end
       format_response(options[:as] || @as, response.body)
     end
@@ -378,7 +383,7 @@ module Kubeclient
           rs.options.merge(
             method: :delete,
             url: rs.url,
-            headers: { 'Content-Type' => 'application/json' }.merge(@headers),
+            headers: { 'Content-Type' => 'application/json' }.merge(get_headers),
             payload: payload
           )
         )
@@ -400,7 +405,7 @@ module Kubeclient
       hash[:apiVersion] = @api_group + @api_version
       response = handle_exception do
         rest_client[ns_prefix + resource_name]
-          .post(hash.to_json, { 'Content-Type' => 'application/json' }.merge(@headers))
+          .post(hash.to_json, { 'Content-Type' => 'application/json' }.merge(get_headers))
       end
       format_response(@as, response.body)
     end
@@ -410,7 +415,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(entity_config[:metadata][:namespace])
       response = handle_exception do
         rest_client[ns_prefix + resource_name + "/#{name}"]
-          .put(entity_config.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(@headers))
+          .put(entity_config.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(get_headers))
       end
       format_response(@as, response.body)
     end
@@ -421,7 +426,7 @@ module Kubeclient
         rest_client[ns_prefix + resource_name + "/#{name}"]
           .patch(
             patch.to_json,
-            { 'Content-Type' => "application/#{strategy}+json" }.merge(@headers)
+            { 'Content-Type' => "application/#{strategy}+json" }.merge(get_headers)
           )
       end
       format_response(@as, response.body)
@@ -434,7 +439,7 @@ module Kubeclient
         rest_client[ns_prefix + resource_name + "/#{name}"]
           .patch(
             resource.to_json,
-            { 'Content-Type' => 'application/apply-patch+yaml' }.merge(@headers)
+            { 'Content-Type' => 'application/apply-patch+yaml' }.merge(get_headers)
           )
       end
       format_response(@as, response.body)
@@ -468,7 +473,7 @@ module Kubeclient
       ns = build_namespace_prefix(namespace)
       handle_exception do
         rest_client[ns + "pods/#{pod_name}/log"]
-          .get({ 'params' => params }.merge(@headers))
+          .get({ 'params' => params }.merge(get_headers))
       end
     end
 
@@ -506,7 +511,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(template[:metadata][:namespace])
       response = handle_exception do
         rest_client[ns_prefix + 'processedtemplates']
-          .post(template.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(@headers))
+          .post(template.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(get_headers))
       end
       JSON.parse(response)
     end
@@ -519,7 +524,7 @@ module Kubeclient
     end
 
     def api
-      response = handle_exception { create_rest_client.get(@headers) }
+      response = handle_exception { create_rest_client.get(get_headers) }
       JSON.parse(response)
     end
 
@@ -593,7 +598,7 @@ module Kubeclient
     end
 
     def fetch_entities
-      JSON.parse(handle_exception { rest_client.get(@headers) })
+      JSON.parse(handle_exception { rest_client.get(get_headers) })
     end
 
     def bearer_token(bearer_token)
@@ -638,11 +643,11 @@ module Kubeclient
       options = {
         basic_auth_user: @auth_options[:username],
         basic_auth_password: @auth_options[:password],
-        headers: @headers,
+        headers: get_headers,
         http_proxy_uri: @http_proxy_uri,
         http_max_redirects: http_max_redirects
       }
-
+      options[:bearer_token_file] = @auth_options[:bearer_token_file] if @auth_options[:bearer_token_file]
       if uri.scheme == 'https'
         options[:ssl] = {
           ca_file: @ssl_options[:ca_file],