fix(router): add auth header for workload manager

Signed-off-by: Zhou Zihang <z@mcac.cc>

Author: acsoto

pkg/router/session_manager.go

@@ -34,6 +34,8 @@ import (
 	"golang.org/x/net/http2"
 )
 
+const serviceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+
 // SessionManager defines the session management behavior on top of Store and the workload manager.
 type SessionManager interface {
 	// GetSandboxBySession returns the sandbox associated with the given sessionID.
@@ -139,6 +141,9 @@ func (m *manager) createSandbox(ctx context.Context, namespace string, name stri
 		return nil, fmt.Errorf("failed to create HTTP request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/json")
+	if token := loadWorkloadManagerAuthToken(); token != "" {
+		req.Header.Set("Authorization", "Bearer "+token)
+	}
 
 	// Send the request
 	resp, err := m.httpClient.Do(req)
@@ -186,3 +191,18 @@ func (m *manager) createSandbox(ctx context.Context, namespace string, name stri
 
 	return sandbox, nil
 }
+
+func loadWorkloadManagerAuthToken() string {
+	if token := strings.TrimSpace(os.Getenv("API_TOKEN")); token != "" {
+		return token
+	}
+
+	b, err := os.ReadFile(serviceAccountTokenPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return ""
+		}
+		return ""
+	}
+	return strings.TrimSpace(string(b))
+}