fix: add token in the header for kube

Kubernetes JWT endpoint is authenticated so we must pass the token from the config in the PyJWKClient's client header to fetch the public keys. Signed-off-by: Sébastien Han <seb@redhat.com>
2025-12-12 12:06:04 +00:00 · 2025-10-10 14:47:08 +02:00 · 2025-10-10 14:47:08 +02:00 · dbd6e2be06
commit dbd6e2be06
parent a1c98ca87b
4 changed files with 11 additions and 2 deletions
--- a/.github/workflows/integration-auth-tests.yml
+++ b/.github/workflows/integration-auth-tests.yml
@ -81,6 +81,7 @@ jobs:
          yq eval '.server.auth.provider_config.issuer = "${{ env.KUBERNETES_ISSUER }}"' -i $run_dir/run.yaml
          yq eval '.server.auth.provider_config.audience = "${{ env.KUBERNETES_AUDIENCE }}"' -i $run_dir/run.yaml
          yq eval '.server.auth.provider_config.jwks.uri = "${{ env.KUBERNETES_API_SERVER_URL }}"' -i $run_dir/run.yaml
+          yq eval '.server.auth.provider_config.jwks.token = "${{ env.TOKEN }}"' -i $run_dir/run.yaml
          cat $run_dir/run.yaml

          # avoid line breaks in the server log, especially because we grep it below.
--- a/llama_stack/core/server/auth_providers.py
+++ b/llama_stack/core/server/auth_providers.py
@ -124,11 +124,19 @@ class OAuth2TokenAuthProvider(AuthProvider):
                    )
                # If verify_tls is True and no tls_cafile, ssl_context remains None (use system defaults)

+                # Prepare headers for JWKS request - this is needed for Kubernetes to authenticate
+                # to the JWK endpoint
+                headers = {}
+                if self.config.jwks.token:
+                    headers["Authorization"] = f"Bearer {self.config.jwks.token}"
+
+                # Create PyJWKClient with SSL context if supported
                self._jwks_client = jwt.PyJWKClient(
                    self.config.jwks.uri,
                    cache_keys=True,
                    max_cached_keys=10,
                    lifespan=self.config.jwks.key_recheck_period,  # Use configurable period
+                    headers=headers,
                    ssl_context=ssl_context,
                )

--- a/pyproject.toml
+++ b/pyproject.toml
@ -34,7 +34,7 @@ dependencies = [
    "openai>=1.107",                                  # for expires_after support
    "prompt-toolkit",
    "python-dotenv",
-    "pyjwt[crypto]>=2.8.0",                           # Pull crypto to support RS256 for jwt.
+    "pyjwt[crypto]>=2.10.0",                          # Pull crypto to support RS256 for jwt. Requires 2.10.0+ for ssl_context support.
    "pydantic>=2.11.9",
    "rich",
    "starlette",
--- a/uv.lock
+++ b/uv.lock
@ -1898,7 +1898,7 @@ requires-dist = [
    { name = "pillow" },
    { name = "prompt-toolkit" },
    { name = "pydantic", specifier = ">=2.11.9" },
-    { name = "pyjwt", extras = ["crypto"], specifier = ">=2.8.0" },
+    { name = "pyjwt", extras = ["crypto"], specifier = ">=2.10.0" },
    { name = "python-dotenv" },
    { name = "python-multipart", specifier = ">=0.0.20" },
    { name = "rich" },