From 6c3c48825e3795fe54a9e03e981cdd2706c83048 Mon Sep 17 00:00:00 2001
From: Brendan Burns <5751682+brendandburns@users.noreply.github.com>
Date: Mon, 10 Mar 2025 20:24:07 +0000
Subject: [PATCH 1/2] Add the ability to inject authenticators.

---
 src/config.ts      |  6 ++++++
 src/config_test.ts | 41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)

diff --git a/src/config.ts b/src/config.ts
index 482a12a85c..93d17aab22 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -65,6 +65,12 @@ export class KubeConfig implements SecurityAuthentication {
         new OpenIDConnectAuth(),
     ];
 
+    // Optionally add additional external authenticators, you must do this
+    // before you load a kubeconfig file that references them.
+    public static addAuthenticator(authenticator: Authenticator): void {
+        this.authenticators.push(authenticator);
+    }
+
     /**
      * The list of all known clusters
      */
diff --git a/src/config_test.ts b/src/config_test.ts
index 5e082ee8bb..196cb51f6b 100644
--- a/src/config_test.ts
+++ b/src/config_test.ts
@@ -9,6 +9,7 @@ import { mock } from 'node:test';
 
 import mockfs from 'mock-fs';
 
+import { Authenticator } from './auth.js';
 import { Headers } from 'node-fetch';
 import { HttpMethod } from './index.js';
 import { assertRequestAgentsEqual, assertRequestOptionsEqual } from './test/match-buffer.js';
@@ -1703,5 +1704,45 @@ describe('KubeConfig', () => {
             }
             validateFileLoad(kc);
         });
+
+        it('should inject a custom Authenticator', async () => {
+            class CustomAuthenticator implements Authenticator {
+                public isAuthProvider(user: User): boolean {
+                    return user.authProvider === 'custom';
+                }
+
+                public async applyAuthentication(user: User, opts: RequestOptions): Promise<void> {
+                    if (user.authProvider === 'custom') {
+                        // Simulate token retrieval
+                        const token = 'test-token';
+                        opts.headers = opts.headers || {};
+                        opts.headers.Authorization = `Bearer ${token}`;
+                    } else {
+                        throw new Error('No custom configuration found');
+                    }
+                }
+            }
+
+            const customAuthenticator = new CustomAuthenticator();
+            KubeConfig.addAuthenticator(customAuthenticator);
+            const kc = new KubeConfig();
+
+            const cluster: Cluster = {
+                name: 'test-cluster',
+                server: 'https://localhost:6443',
+                skipTLSVerify: false,
+            };
+            const user: User = {
+                name: 'test-user',
+                authProvider: 'custom',
+            };
+
+            kc.loadFromClusterAndUser(cluster, user);
+
+            const opts: RequestOptions = {};
+            await kc.applyToHTTPSOptions(opts);
+
+            strictEqual(opts.headers!.Authorization, 'Bearer test-token');
+        });
     });
 });

From a26e167af3363ed026b9b3ab2afba82e37d98622 Mon Sep 17 00:00:00 2001
From: Brendan Burns <5751682+brendandburns@users.noreply.github.com>
Date: Fri, 21 Mar 2025 14:12:21 +0000
Subject: [PATCH 2/2] Switch to config local authenticators instead of static
 ones.

---
 src/config.ts      | 15 ++++++++++++---
 src/config_test.ts |  2 +-
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/config.ts b/src/config.ts
index 93d17aab22..2545fe9a67 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -65,10 +65,13 @@ export class KubeConfig implements SecurityAuthentication {
         new OpenIDConnectAuth(),
     ];
 
+    // List of custom authenticators that can be added by the user
+    private custom_authenticators: Authenticator[] = [];
+
     // Optionally add additional external authenticators, you must do this
     // before you load a kubeconfig file that references them.
-    public static addAuthenticator(authenticator: Authenticator): void {
-        this.authenticators.push(authenticator);
+    public addAuthenticator(authenticator: Authenticator): void {
+        this.custom_authenticators.push(authenticator);
     }
 
     /**
@@ -583,10 +586,16 @@ export class KubeConfig implements SecurityAuthentication {
         if (!user) {
             return;
         }
-        const authenticator = KubeConfig.authenticators.find((elt: Authenticator) => {
+        let authenticator = KubeConfig.authenticators.find((elt: Authenticator) => {
             return elt.isAuthProvider(user);
         });
 
+        if (!authenticator) {
+            authenticator = this.custom_authenticators.find((elt: Authenticator) => {
+                return elt.isAuthProvider(user);
+            });
+        }
+
         if (!opts.headers) {
             opts.headers = {};
         }
diff --git a/src/config_test.ts b/src/config_test.ts
index 196cb51f6b..9992937aeb 100644
--- a/src/config_test.ts
+++ b/src/config_test.ts
@@ -1724,8 +1724,8 @@ describe('KubeConfig', () => {
             }
 
             const customAuthenticator = new CustomAuthenticator();
-            KubeConfig.addAuthenticator(customAuthenticator);
             const kc = new KubeConfig();
+            kc.addAuthenticator(customAuthenticator);
 
             const cluster: Cluster = {
                 name: 'test-cluster',