feat: add ServiceAccountRef support for ClusterAccess authentication (#129)

* feat: add ServiceAccountRef support for ClusterAccess authentication

- Add extractServiceAccountAuth to metadata injector for storing SA reference info
- Implement ServiceAccountRoundTripper for dynamic token generation via TokenRequest API
- Extend AuthMetadata struct with service account fields
- Initialize local k8s client in ClusterRegistry for token generation
- Make Name and Namespace required fields in ServiceAccountRef

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
On-behalf-of: @SAP <bastian.echterhoelter@sap.com>

* fix: add workaround for setup-envtest empty directory bug

setup-envtest doesn't verify binaries exist if the directory is present.
Check if etcd binary exists before deciding whether to force re-download.

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
On-behalf-of: @SAP <bastian.echterhoelter@sap.com>

* fix: address PR review comments

- Use Status.ExpirationTimestamp from TokenRequest API instead of requested TTL
  (API server may override the requested expiration)
- Check both etcd and kube-apiserver executability in Taskfile envtest workaround

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
On-behalf-of: @SAP <bastian.echterhoelter@sap.com>

* fix: make default ServiceAccount token expiration configurable

Add listener-default-sa-expiration-seconds config option to allow
customizing the default token expiration for ServiceAccount-based
authentication when not explicitly set in the ClusterAccess spec.

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
On-behalf-of: @SAP <bastian.echterhoelter@sap.com>

* feat: add docker:kind task to build and load images into kind cluster

Add a new Taskfile task that:
- Looks up the current image tag from the running deployment
- Builds the container image with that tag
- Loads it into the kind cluster
- Restarts the deployment to pick up the new image

Supports both docker and podman via CONTAINER_RUNTIME variable.

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
On-behalf-of: @SAP <bastian.echterhoelter@sap.com>

* docs: update local_test.md with docker:kind task

Replace manual build/tag/load steps with the new docker:kind task
that automates the entire workflow.

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
On-behalf-of: @SAP <bastian.echterhoelter@sap.com>

---------

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>

Author: nexus49

Taskfile.yml

@@ -46,6 +46,30 @@ tasks:
   docker:
     cmds:
       - docker build -t ghcr.io/platform-mesh/kubernetes-graphql-gateway .
+
+  docker:kind:
+    desc: "Build container image with current tag from kind cluster and load it"
+    vars:
+      CONTAINER_RUNTIME: '{{.CONTAINER_RUNTIME | default "docker"}}'
+      KIND_CLUSTER: '{{.KIND_CLUSTER | default "platform-mesh"}}'
+      DEPLOYMENT_NAME: '{{.DEPLOYMENT_NAME | default "kubernetes-graphql-gateway"}}'
+      DEPLOYMENT_NAMESPACE: '{{.DEPLOYMENT_NAMESPACE | default "platform-mesh-system"}}'
+      IMAGE_TAG:
+        sh: kubectl get deployment {{.DEPLOYMENT_NAME}} -n {{.DEPLOYMENT_NAMESPACE}} -o jsonpath='{.spec.template.spec.containers[0].image}' | cut -d':' -f2
+      IMAGE_NAME: ghcr.io/platform-mesh/kubernetes-graphql-gateway:{{.IMAGE_TAG}}
+    cmds:
+      - echo "Building image with tag {{.IMAGE_TAG}} using {{.CONTAINER_RUNTIME}}"
+      - "{{.CONTAINER_RUNTIME}} build -t {{.IMAGE_NAME}} ."
+      - |
+        if [ "{{.CONTAINER_RUNTIME}}" = "podman" ]; then
+          {{.CONTAINER_RUNTIME}} save {{.IMAGE_NAME}} -o /tmp/kind-image.tar
+          kind load image-archive /tmp/kind-image.tar --name {{.KIND_CLUSTER}}
+          rm -f /tmp/kind-image.tar
+        else
+          kind load docker-image {{.IMAGE_NAME}} --name {{.KIND_CLUSTER}}
+        fi
+      - kubectl rollout restart deployment/{{.DEPLOYMENT_NAME}} -n {{.DEPLOYMENT_NAMESPACE}}
+      - echo "Image loaded and deployment restarted"
   ## Testing
   fmt:
     cmds:
@@ -59,7 +83,14 @@ tasks:
     deps: [setup:envtest]
     env:
       KUBEBUILDER_ASSETS:
-        sh: $(pwd)/{{.LOCAL_BIN}}/setup-envtest use {{.ENVTEST_K8S_VERSION}} --bin-dir $(pwd)/{{.LOCAL_BIN}} -p path
+        # Workaround for setup-envtest bug: it doesn't verify binaries exist if directory is present
+        sh: |
+          ASSETS_PATH=$(pwd)/{{.LOCAL_BIN}}/k8s/{{.ENVTEST_K8S_VERSION}}-$(go env GOOS)-$(go env GOARCH)
+          if [ ! -x "$ASSETS_PATH/etcd" ] || [ ! -x "$ASSETS_PATH/kube-apiserver" ]; then
+            $(pwd)/{{.LOCAL_BIN}}/setup-envtest use {{.ENVTEST_K8S_VERSION}} --bin-dir $(pwd)/{{.LOCAL_BIN}} --force -p path
+          else
+            echo "$ASSETS_PATH"
+          fi
     cmds:
       - go test ./... {{.ADDITIONAL_COMMAND_ARGS}}
   test:

cmd/root.go

@@ -60,6 +60,7 @@ func initConfig() {
 	// Listener
 	v.SetDefault("listener-apiexport-workspace", ":root")
 	v.SetDefault("listener-apiexport-name", "kcp.io")
+	v.SetDefault("listener-default-sa-expiration-seconds", 3600)
 
 	// Gateway
 	v.SetDefault("gateway-port", "8080")

common/apis/v1alpha1/clusteraccess_types.go

@@ -91,8 +91,8 @@ type ClusterAccessStatus struct {
 }
 
 type ServiceAccountRef struct {
-	Name            string           `json:"name,omitempty"`
-	Namespace       string           `json:"namespace,omitempty"`
+	Name            string           `json:"name"`
+	Namespace       string           `json:"namespace"`
 	Audience        []string         `json:"audience,omitempty"`
 	TokenExpiration *metav1.Duration `json:"token_expiration,omitempty"`
 }

common/auth/metadata_injector.go

@@ -21,30 +21,40 @@ import (
 
 // MetadataInjectionConfig contains configuration for metadata injection
 type MetadataInjectionConfig struct {
-	Host         string
-	Path         string
-	Auth         *gatewayv1alpha1.AuthConfig
-	CA           *gatewayv1alpha1.CAConfig
-	HostOverride string // For virtual workspaces
+	Host                       string
+	Path                       string
+	Auth                       *gatewayv1alpha1.AuthConfig
+	CA                         *gatewayv1alpha1.CAConfig
+	HostOverride               string // For virtual workspaces
+	DefaultSAExpirationSeconds int64  // Default expiration for ServiceAccount tokens
 }
 
 // MetadataInjector provides metadata injection services with structured logging
 type MetadataInjector struct {
-	log    *logger.Logger
-	client client.Client
+	log                        *logger.Logger
+	client                     client.Client
+	defaultSAExpirationSeconds int64
 }
 
 // NewMetadataInjector creates a new MetadataInjector service
-func NewMetadataInjector(log *logger.Logger, client client.Client) *MetadataInjector {
+func NewMetadataInjector(log *logger.Logger, client client.Client, defaultSAExpirationSeconds int64) *MetadataInjector {
+	if defaultSAExpirationSeconds <= 0 {
+		defaultSAExpirationSeconds = 3600
+	}
 	return &MetadataInjector{
-		log:    log,
-		client: client,
+		log:                        log,
+		client:                     client,
+		defaultSAExpirationSeconds: defaultSAExpirationSeconds,
 	}
 }
 
 // InjectClusterMetadata injects cluster metadata into schema JSON
 // This unified function handles both KCP and ClusterAccess use cases
 func (m *MetadataInjector) InjectClusterMetadata(ctx context.Context, schemaJSON []byte, config MetadataInjectionConfig) ([]byte, error) {
+	if config.DefaultSAExpirationSeconds > 0 {
+		m.defaultSAExpirationSeconds = config.DefaultSAExpirationSeconds
+	}
+
 	// Parse the existing schema JSON
 	var schemaData map[string]any
 	if err := json.Unmarshal(schemaJSON, &schemaData); err != nil {
@@ -146,6 +156,10 @@ func (m *MetadataInjector) extractAuthDataForMetadata(ctx context.Context, auth
 		return m.extractKubeconfigAuth(ctx, auth.KubeconfigSecretRef)
 	}
 
+	if auth.ServiceAccount != nil {
+		return m.extractServiceAccountAuth(ctx, auth.ServiceAccount)
+	}
+
 	if auth.ClientCertificateRef != nil {
 		return m.extractClientCertAuth(ctx, auth.ClientCertificateRef)
 	}
@@ -210,6 +224,30 @@ func (m *MetadataInjector) extractClientCertAuth(ctx context.Context, certRef *g
 	}, nil
 }
 
+// extractServiceAccountAuth stores service account reference info for dynamic token generation
+// The actual token generation happens at request time in the gateway's roundtripper
+func (m *MetadataInjector) extractServiceAccountAuth(_ context.Context, saRef *gatewayv1alpha1.ServiceAccountRef) (map[string]any, error) {
+	namespace := saRef.Namespace
+
+	expirationSeconds := m.defaultSAExpirationSeconds
+	if saRef.TokenExpiration != nil {
+		expirationSeconds = int64(saRef.TokenExpiration.Seconds())
+	}
+
+	result := map[string]any{
+		"type":                    "serviceAccount",
+		"serviceAccountName":      saRef.Name,
+		"serviceAccountNamespace": namespace,
+		"tokenExpirationSeconds":  expirationSeconds,
+	}
+
+	if len(saRef.Audience) > 0 {
+		result["audience"] = saRef.Audience
+	}
+
+	return result, nil
+}
+
 // getSecret is a helper function to retrieve secrets with namespace defaulting
 func (m *MetadataInjector) getSecret(ctx context.Context, name, namespace string) (*corev1.Secret, error) {
 	if namespace == "" {
@@ -460,26 +498,26 @@ func (m *MetadataInjector) finalizeSchemaInjection(schemaData map[string]any, me
 
 // InjectClusterMetadata is a legacy wrapper for backward compatibility
 func InjectClusterMetadata(ctx context.Context, schemaJSON []byte, config MetadataInjectionConfig, k8sClient client.Client, log *logger.Logger) ([]byte, error) {
-	injector := NewMetadataInjector(log, k8sClient)
+	injector := NewMetadataInjector(log, k8sClient, config.DefaultSAExpirationSeconds)
 	return injector.InjectClusterMetadata(ctx, schemaJSON, config)
 }
 
 // InjectKCPMetadataFromEnv is a legacy wrapper for backward compatibility
 func InjectKCPMetadataFromEnv(schemaJSON []byte, clusterPath string, log *logger.Logger, hostOverride ...string) ([]byte, error) {
-	injector := NewMetadataInjector(log, nil)
+	injector := NewMetadataInjector(log, nil, 0)
 	return injector.InjectKCPMetadataFromEnv(schemaJSON, clusterPath, hostOverride...)
 }
 
 // Test exports for internal testing - these expose internal methods for unit tests
 
 // extractKubeconfigFromEnv is exported for testing
 func extractKubeconfigFromEnv(log *logger.Logger) ([]byte, string, error) {
-	injector := NewMetadataInjector(log, nil)
+	injector := NewMetadataInjector(log, nil, 0)
 	return injector.extractKubeconfigFromEnv()
 }
 
 // extractAuthDataForMetadata is exported for testing
 func extractAuthDataForMetadata(ctx context.Context, auth *gatewayv1alpha1.AuthConfig, k8sClient client.Client) (map[string]any, error) {
-	injector := NewMetadataInjector(nil, k8sClient)
+	injector := NewMetadataInjector(nil, k8sClient, 0)
 	return injector.extractAuthDataForMetadata(ctx, auth)
 }