config: support username impersonation

cjihrig · cjihrig · commit 35932fad38d8 · 2025-04-15T11:24:22.000-04:00
This commit adds support for username impersonation. This does not implement group, UID, or extra impersonation. Refs: #2355
diff --git a/src/config.ts b/src/config.ts
@@ -582,6 +582,11 @@ export class KubeConfig implements SecurityAuthentication {
         if (key) {
             opts.key = key;
         }
+
+        if (user.impersonateUser != null) {
+            opts.headers ??= {};
+            opts.headers['Impersonate-User'] = user.impersonateUser;
+        }
     }
 
     private async applyAuthorizationHeader(
diff --git a/src/config_test.ts b/src/config_test.ts
@@ -1787,4 +1787,25 @@ describe('KubeConfig', () => {
             strictEqual(opts.headers!.Authorization, 'Bearer test-token');
         });
     });
+
+    describe('Impersonation', () => {
+        it('injects Impersonate-User header', async () => {
+            const kc = new KubeConfig();
+            const cluster: Cluster = {
+                name: 'test-cluster',
+                server: 'https://localhost:6443',
+                skipTLSVerify: false,
+            };
+            const user: User = {
+                name: 'test-user',
+                authProvider: 'custom',
+                impersonateUser: 'impersonate-user',
+            };
+
+            kc.loadFromClusterAndUser(cluster, user);
+            const opts: RequestOptions = {};
+            await kc.applyToHTTPSOptions(opts);
+            strictEqual(opts.headers!['Impersonate-User'], 'impersonate-user');
+        });
+    });
 });
diff --git a/src/config_types.ts b/src/config_types.ts
@@ -97,6 +97,7 @@ export interface User {
     readonly token?: string;
     readonly username?: string;
     readonly password?: string;
+    readonly impersonateUser?: string;
 }
 
 export function newUsers(a: any, opts?: Partial<ConfigOptions>): User[] {
@@ -122,6 +123,7 @@ export function exportUser(user: User): any {
             token: user.token,
             password: user.password,
             username: user.username,
+            as: user.impersonateUser,
         },
     };
 }
@@ -143,6 +145,7 @@ function userIterator(onInvalidEntry: ActionOnInvalid): (elt: any, i: number, li
                 token: findToken(elt.user),
                 password: elt.user ? elt.user.password : null,
                 username: elt.user ? elt.user.username : null,
+                impersonateUser: elt.as ? elt.as : null,
             };
         } catch (err) {
             switch (onInvalidEntry) {

Original file line number	Diff line number	Diff line change
`@@ -582,6 +582,11 @@ export class KubeConfig implements SecurityAuthentication {`
`582`	`582`	`if (key) {`
`583`	`583`	`opts.key = key;`
`584`	`584`	`}`
	`585`	`+`
	`586`	`+ if (user.impersonateUser != null) {`
	`587`	`+ opts.headers ??= {};`
	`588`	`+ opts.headers['Impersonate-User'] = user.impersonateUser;`
	`589`	`+ }`
`585`	`590`	`}`
`586`	`591`
`587`	`592`	`private async applyAuthorizationHeader(`