fix(router): add auth header for workload manager

acsoto · acsoto · commit 359fbe3816c2 · 2026-01-30T16:26:49.000+08:00
Signed-off-by: Zhou Zihang &lt;z@mcac.cc&gt;
diff --git a/pkg/router/session_manager.go b/pkg/router/session_manager.go
@@ -32,8 +32,12 @@ import (
 	"github.com/volcano-sh/agentcube/pkg/common/types"
 	"github.com/volcano-sh/agentcube/pkg/store"
 	"golang.org/x/net/http2"
+	"k8s.io/klog/v2"
 )
 
+// #nosec G101 -- well-known Kubernetes service account token path, not a credential.
+var serviceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+
 // SessionManager defines the session management behavior on top of Store and the workload manager.
 type SessionManager interface {
 	// GetSandboxBySession returns the sandbox associated with the given sessionID.
@@ -139,6 +143,9 @@ func (m *manager) createSandbox(ctx context.Context, namespace string, name stri
 		return nil, fmt.Errorf("failed to create HTTP request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/json")
+	if token := loadWorkloadManagerAuthToken(); token != "" {
+		req.Header.Set("Authorization", "Bearer "+token)
+	}
 
 	// Send the request
 	resp, err := m.httpClient.Do(req)
@@ -186,3 +193,18 @@ func (m *manager) createSandbox(ctx context.Context, namespace string, name stri
 
 	return sandbox, nil
 }
+
+func loadWorkloadManagerAuthToken() string {
+	if token := strings.TrimSpace(os.Getenv("API_TOKEN")); token != "" {
+		return token
+	}
+
+	b, err := os.ReadFile(serviceAccountTokenPath)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			klog.Warningf("failed to read service account token: %v", err)
+		}
+		return ""
+	}
+	return strings.TrimSpace(string(b))
+}
diff --git a/pkg/router/session_manager_test.go b/pkg/router/session_manager_test.go
@@ -22,6 +22,8 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
@@ -226,6 +228,166 @@ func TestGetSandboxBySession_CreateSandbox_AgentRuntime_Success(t *testing.T) {
 	}
 }
 
+func TestGetSandboxBySession_CreateSandbox_SetsAuthHeaderFromEnv(t *testing.T) {
+	// #nosec G101 -- test token, not a real credential.
+	const token = "env-token-123"
+
+	if err := os.Setenv("API_TOKEN", token); err != nil {
+		t.Fatalf("failed to set API_TOKEN: %v", err)
+	}
+	defer func() {
+		_ = os.Unsetenv("API_TOKEN")
+	}()
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if got := r.Header.Get("Authorization"); got != "Bearer "+token {
+			t.Fatalf("expected Authorization header %q, got %q", "Bearer "+token, got)
+		}
+		resp := types.CreateSandboxResponse{
+			SessionID:   "new-session-123",
+			SandboxID:   "sandbox-456",
+			SandboxName: "sandbox-test",
+			EntryPoints: []types.SandboxEntryPoint{{Endpoint: "10.0.0.1:9000"}},
+		}
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_ = json.NewEncoder(w).Encode(resp)
+	}))
+	defer mockServer.Close()
+
+	m := &manager{
+		storeClient:     &fakeStoreClient{},
+		workloadMgrAddr: mockServer.URL,
+		httpClient:      &http.Client{},
+	}
+
+	if _, err := m.GetSandboxBySession(context.Background(), "", "default", "test-runtime", types.AgentRuntimeKind); err != nil {
+		t.Fatalf("GetSandboxBySession unexpected error: %v", err)
+	}
+}
+
+func TestGetSandboxBySession_CreateSandbox_SetsAuthHeaderFromFile(t *testing.T) {
+	// #nosec G101 -- test token, not a real credential.
+	const token = "file-token-456"
+
+	dir := t.TempDir()
+	tokenPath := filepath.Join(dir, "token")
+	if err := os.WriteFile(tokenPath, []byte(token+"\n"), 0o600); err != nil {
+		t.Fatalf("failed to write token file: %v", err)
+	}
+
+	origTokenPath := serviceAccountTokenPath
+	serviceAccountTokenPath = tokenPath
+	defer func() {
+		serviceAccountTokenPath = origTokenPath
+	}()
+
+	_ = os.Unsetenv("API_TOKEN")
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if got := r.Header.Get("Authorization"); got != "Bearer "+token {
+			t.Fatalf("expected Authorization header %q, got %q", "Bearer "+token, got)
+		}
+		resp := types.CreateSandboxResponse{
+			SessionID:   "new-session-123",
+			SandboxID:   "sandbox-456",
+			SandboxName: "sandbox-test",
+			EntryPoints: []types.SandboxEntryPoint{{Endpoint: "10.0.0.1:9000"}},
+		}
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_ = json.NewEncoder(w).Encode(resp)
+	}))
+	defer mockServer.Close()
+
+	m := &manager{
+		storeClient:     &fakeStoreClient{},
+		workloadMgrAddr: mockServer.URL,
+		httpClient:      &http.Client{},
+	}
+
+	if _, err := m.GetSandboxBySession(context.Background(), "", "default", "test-runtime", types.AgentRuntimeKind); err != nil {
+		t.Fatalf("GetSandboxBySession unexpected error: %v", err)
+	}
+}
+
+func TestGetSandboxBySession_CreateSandbox_NoAuthHeaderWhenNoToken(t *testing.T) {
+	dir := t.TempDir()
+	missingPath := filepath.Join(dir, "missing-token")
+
+	origTokenPath := serviceAccountTokenPath
+	serviceAccountTokenPath = missingPath
+	defer func() {
+		serviceAccountTokenPath = origTokenPath
+	}()
+
+	_ = os.Unsetenv("API_TOKEN")
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if got := r.Header.Get("Authorization"); got != "" {
+			t.Fatalf("expected no Authorization header, got %q", got)
+		}
+		resp := types.CreateSandboxResponse{
+			SessionID:   "new-session-123",
+			SandboxID:   "sandbox-456",
+			SandboxName: "sandbox-test",
+			EntryPoints: []types.SandboxEntryPoint{{Endpoint: "10.0.0.1:9000"}},
+		}
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_ = json.NewEncoder(w).Encode(resp)
+	}))
+	defer mockServer.Close()
+
+	m := &manager{
+		storeClient:     &fakeStoreClient{},
+		workloadMgrAddr: mockServer.URL,
+		httpClient:      &http.Client{},
+	}
+
+	if _, err := m.GetSandboxBySession(context.Background(), "", "default", "test-runtime", types.AgentRuntimeKind); err != nil {
+		t.Fatalf("GetSandboxBySession unexpected error: %v", err)
+	}
+}
+
+func TestGetSandboxBySession_CreateSandbox_TokenFileReadError(t *testing.T) {
+	dir := t.TempDir()
+
+	origTokenPath := serviceAccountTokenPath
+	serviceAccountTokenPath = dir // ReadFile on a directory returns an error (not IsNotExist)
+	defer func() {
+		serviceAccountTokenPath = origTokenPath
+	}()
+
+	_ = os.Unsetenv("API_TOKEN")
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if got := r.Header.Get("Authorization"); got != "" {
+			t.Fatalf("expected no Authorization header, got %q", got)
+		}
+		resp := types.CreateSandboxResponse{
+			SessionID:   "new-session-123",
+			SandboxID:   "sandbox-456",
+			SandboxName: "sandbox-test",
+			EntryPoints: []types.SandboxEntryPoint{{Endpoint: "10.0.0.1:9000"}},
+		}
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_ = json.NewEncoder(w).Encode(resp)
+	}))
+	defer mockServer.Close()
+
+	m := &manager{
+		storeClient:     &fakeStoreClient{},
+		workloadMgrAddr: mockServer.URL,
+		httpClient:      &http.Client{},
+	}
+
+	if _, err := m.GetSandboxBySession(context.Background(), "", "default", "test-runtime", types.AgentRuntimeKind); err != nil {
+		t.Fatalf("GetSandboxBySession unexpected error: %v", err)
+	}
+}
+
 func TestGetSandboxBySession_CreateSandbox_CodeInterpreter_Success(t *testing.T) {
 	// Mock workload manager server
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
