feat(ContainerAuthenticator): add support for code engine workload (#244)

Signed-off-by: Sascha Schwarze <[email protected]>
Co-authored-by: Phil Adams <[email protected]>

Author: SaschaSchwarze0

Authentication.md

@@ -452,10 +452,10 @@ if err != nil {
 ## Container Authentication
 The `ContainerAuthenticator` is intended to be used by application code
 running inside a compute resource managed by the IBM Kubernetes Service (IKS)
-in which a secure compute resource token (CR token) has been stored in a file
-within the compute resource's local file system.
+or IBM Cloud Code Engine in which a secure compute resource token (CR token)
+has been stored in a file within the compute resource's local file system.
 The CR token is similar to an IAM apikey except that it is managed automatically by
-the compute resource provider (IKS).
+the compute resource provider (IKS or Code Engine).
 This allows the application developer to:
 - avoid storing credentials in application code, configuration files or a password vault
 - avoid managing or rotating credentials
@@ -475,7 +475,9 @@ The IAM access token is added to each outbound request in the `Authorization` he
 
 - CRTokenFilename: (optional) the name of the file containing the injected CR token value.
 If not specified, then the authenticator will first try `/var/run/secrets/tokens/vault-token`
-and then `/var/run/secrets/tokens/sa-token` as the default value (first file found is used).
+and then `/var/run/secrets/tokens/sa-token` and finally
+`/var/run/secrets/codeengine.cloud.ibm.com/compute-resource-token/token` as the default value
+(first file found is used).
 The application must have `read` permissions on the file containing the CR token value.
 
 - IAMProfileName: (optional) the name of the linked trusted IAM profile to be used when obtaining the

core/container_authenticator.go

@@ -1,6 +1,6 @@
 package core
 
-// (C) Copyright IBM Corp. 2021, 2024.
+// (C) Copyright IBM Corp. 2021, 2025.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -29,16 +29,16 @@ import (
 )
 
 // ContainerAuthenticator implements an IAM-based authentication schema whereby it
-// retrieves a "compute resource token" from the local compute resource (VM)
+// retrieves a "compute resource token" from the local compute resource (IKS pod, or Code Engine application, function, or job)
 // and uses that to obtain an IAM access token by invoking the IAM "get token" operation with grant-type=cr-token.
 // The resulting IAM access token is then added to outbound requests in an Authorization header
 // of the form:
 //
 //	Authorization: Bearer <access-token>
 type ContainerAuthenticator struct {
 	// [optional] The name of the file containing the injected CR token value (applies to
-	// IKS-managed compute resources).
-	// Default value: (1) "/var/run/secrets/tokens/vault-token" or (2) "/var/run/secrets/tokens/sa-token",
+	// IKS-managed compute resources, a Code Engine compute resource always uses the third default from below).
+	// Default value: (1) "/var/run/secrets/tokens/vault-token" or (2) "/var/run/secrets/tokens/sa-token" or (3) "/var/run/secrets/codeengine.cloud.ibm.com/compute-resource-token/token",
 	// whichever is found first.
 	CRTokenFilename string
 
@@ -98,9 +98,10 @@ type ContainerAuthenticator struct {
 }
 
 const (
-	defaultCRTokenFilename1 = "/var/run/secrets/tokens/vault-token"      // #nosec G101
-	defaultCRTokenFilename2 = "/var/run/secrets/tokens/sa-token"         // #nosec G101
-	iamGrantTypeCRToken     = "urn:ibm:params:oauth:grant-type:cr-token" // #nosec G101
+	defaultCRTokenFilename1 = "/var/run/secrets/tokens/vault-token"                                    // #nosec G101
+	defaultCRTokenFilename2 = "/var/run/secrets/tokens/sa-token"                                       // #nosec G101
+	defaultCRTokenFilename3 = "/var/run/secrets/codeengine.cloud.ibm.com/compute-resource-token/token" // #nosec G101
+	iamGrantTypeCRToken     = "urn:ibm:params:oauth:grant-type:cr-token"                               // #nosec G101
 )
 
 var craRequestTokenMutex sync.Mutex
@@ -504,6 +505,9 @@ func (authenticator *ContainerAuthenticator) retrieveCRToken() (crToken string,
 		crToken, err = authenticator.readFile(defaultCRTokenFilename1)
 		if err != nil {
 			crToken, err = authenticator.readFile(defaultCRTokenFilename2)
+			if err != nil {
+				crToken, err = authenticator.readFile(defaultCRTokenFilename3)
+			}
 		}
 	}