From 3301c2aaf123cd766cd6b90ccd566415ae869938 Mon Sep 17 00:00:00 2001
From: Paolo Dettori <dettori@us.ibm.com>
Date: Thu, 4 Jun 2026 10:29:58 -0400
Subject: [PATCH] fix: inject OPENSHELL_K8S_SA_TOKEN_FILE env for supervisor
 auth

The mvp-v2 supervisor requires a token to authenticate back to the
gateway via IssueSandboxToken. The K8s service account token is already
mounted at the default path, but the supervisor needs the env var to
know where to find it.

Fixes: kagenti/kagenti#1815

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
---
 internal/driver/provisioner.go      |  1 +
 internal/driver/provisioner_test.go | 35 +++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/internal/driver/provisioner.go b/internal/driver/provisioner.go
index 66d5473..1a6daba 100644
--- a/internal/driver/provisioner.go
+++ b/internal/driver/provisioner.go
@@ -390,6 +390,7 @@ func (p *K8sProvisioner) buildFullEnvList(
 		gatewayEnv["OPENSHELL_TLS_KEY"] = "/tls/client/tls.key"
 	}
 
+	gatewayEnv["OPENSHELL_K8S_SA_TOKEN_FILE"] = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 	gatewayEnv["OPENSHELL_LOG_LEVEL"] = "debug"
 	gatewayEnv["ANTHROPIC_BASE_URL"] = "https://inference.local"
 	gatewayEnv["OPENAI_BASE_URL"] = "https://inference.local/v1"
diff --git a/internal/driver/provisioner_test.go b/internal/driver/provisioner_test.go
index cba00c1..00aba3d 100644
--- a/internal/driver/provisioner_test.go
+++ b/internal/driver/provisioner_test.go
@@ -463,3 +463,38 @@ func TestBuildSandboxSpec_ImagePullPolicy_Empty(t *testing.T) {
 		t.Error("expected no imagePullPolicy on agent container when config is empty")
 	}
 }
+
+func TestBuildSandboxSpec_SATokenEnv(t *testing.T) {
+	p := newProvisionerForTest(t)
+
+	sb := &pb.DriverSandbox{
+		Id: "sb-token",
+		Spec: &pb.DriverSandboxSpec{
+			Template: &pb.DriverSandboxTemplate{
+				Image: "agent:latest",
+			},
+		},
+	}
+
+	spec := p.buildSandboxSpec(sb)
+	podTemplate := spec["podTemplate"].(map[string]interface{})
+	podSpec := podTemplate["spec"].(map[string]interface{})
+	containers := podSpec["containers"].([]interface{})
+	agentC := containers[0].(map[string]interface{})
+	envList := agentC["env"].([]interface{})
+
+	var found bool
+	for _, e := range envList {
+		env := e.(map[string]interface{})
+		if env["name"] == "OPENSHELL_K8S_SA_TOKEN_FILE" {
+			found = true
+			if env["value"] != "/var/run/secrets/kubernetes.io/serviceaccount/token" {
+				t.Errorf("expected SA token path, got %v", env["value"])
+			}
+			break
+		}
+	}
+	if !found {
+		t.Error("OPENSHELL_K8S_SA_TOKEN_FILE env var not found in agent container")
+	}
+}