feat: add serviceaccount authentication (#279)

n3rdc4ptn · web-flow · commit 997c609ccee8 · 2025-07-14T11:25:33.000Z
diff --git a/common/apis/v1alpha1/clusteraccess_types.go b/common/apis/v1alpha1/clusteraccess_types.go
@@ -45,7 +45,7 @@ type AuthConfig struct {
 
 	// ServiceAccount is the name of the service account to use
 	// +optional
-	ServiceAccount string `json:"serviceAccount,omitempty"`
+	ServiceAccount *ServiceAccountRef `json:"serviceAccount,omitempty"`
 
 	// ClientCertificateRef points to secrets containing client certificate and key for mTLS
 	// +optional
@@ -85,6 +85,13 @@ type ClusterAccessStatus struct {
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
 
+type ServiceAccountRef struct {
+	Name            string           `json:"name,omitempty"`
+	Namespace       string           `json:"namespace,omitempty"`
+	Audience        []string         `json:"audience,omitempty"`
+	TokenExpiration *metav1.Duration `json:"token_expiration,omitempty"`
+}
+
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
 //+kubebuilder:resource:scope=Cluster,shortName=ca
diff --git a/common/apis/v1alpha1/zz_generated.deepcopy.go b/common/apis/v1alpha1/zz_generated.deepcopy.go
diff --git a/common/auth/config.go b/common/auth/config.go
@@ -6,7 +6,9 @@ import (
 	"errors"
 	"fmt"
 
+	authv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
+
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
@@ -254,9 +256,49 @@ func ConfigureAuthentication(config *rest.Config, auth *gatewayv1alpha1.AuthConf
 		return nil
 	}
 
-	if auth.ServiceAccount != "" {
-		// TODO: Implement service account-based authentication
-		return errors.New("service account authentication not yet implemented")
+	if auth.ServiceAccount != nil {
+		var expirationSeconds int64
+		if auth.ServiceAccount.TokenExpiration != nil {
+			// If TokenExpiration is provided, use its value
+			expirationSeconds = int64(auth.ServiceAccount.TokenExpiration.Duration.Seconds())
+		} else {
+			// If TokenExpiration is nil, use the desired default (3600 seconds = 1 hour)
+			expirationSeconds = 3600
+			fmt.Println("Warning: auth.ServiceAccount.TokenExpiration is nil, defaulting to 3600 seconds.")
+		}
+
+		// Build the TokenRequest object
+		tokenRequest := &authv1.TokenRequest{
+			Spec: authv1.TokenRequestSpec{
+				Audiences: auth.ServiceAccount.Audience,
+				// Optionally set ExpirationSeconds, BoundObjectRef, etc.
+				ExpirationSeconds: &expirationSeconds,
+			},
+		}
+
+		// Get the service account token using the Kubernetes API
+		sa := &corev1.ServiceAccount{}
+		err := k8sClient.Get(ctx, types.NamespacedName{
+			Name:      auth.ServiceAccount.Name,
+			Namespace: auth.ServiceAccount.Namespace,
+		}, sa)
+		if err != nil {
+			return errors.Join(errors.New("failed to get service account"), err)
+		}
+
+		err = k8sClient.SubResource("token").Create(ctx, sa, tokenRequest)
+		if err != nil {
+			return errors.Join(errors.New("failed to create token request for service account"), err)
+		}
+
+		if tokenRequest.Status.Token == "" {
+			return errors.New("received empty token from TokenRequest API")
+		}
+
+		config.BearerToken = tokenRequest.Status.Token
+
+		fmt.Println("Token:", config.BearerToken)
+		return nil
 	}
 
 	// No authentication configured - this might work for some clusters
diff --git a/config/crd/gateway.openmfp.org_clusteraccesses.yaml b/config/crd/gateway.openmfp.org_clusteraccesses.yaml
@@ -82,7 +82,18 @@ spec:
                   serviceAccount:
                     description: ServiceAccount is the name of the service account
                       to use
-                    type: string
+                    properties:
+                      audience:
+                        items:
+                          type: string
+                        type: array
+                      name:
+                        type: string
+                      namespace:
+                        type: string
+                      token_expiration:
+                        type: string
+                    type: object
                 type: object
               ca:
                 description: CA configuration for the cluster
diff --git a/listener/reconciler/clusteraccess/auth_extractor_test.go b/listener/reconciler/clusteraccess/auth_extractor_test.go
@@ -169,18 +169,6 @@ clusters:
 			},
 			wantErr: false,
 		},
-		{
-			name: "service_account_auth_not_implemented",
-			auth: &gatewayv1alpha1.AuthConfig{
-				ServiceAccount: "test-sa",
-			},
-			mockSetup: func(m *mocks.MockClient) {},
-			wantConfig: func(config *rest.Config) *rest.Config {
-				return config
-			},
-			wantErr:     true,
-			errContains: "service account authentication not yet implemented",
-		},
 		{
 			name: "secret_not_found",
 			auth: &gatewayv1alpha1.AuthConfig{
