From 059ee127cd677ab18b48428fcb3c1c4841c0aa56 Mon Sep 17 00:00:00 2001
From: Paolo Dettori <dettori@us.ibm.com>
Date: Thu, 4 Jun 2026 12:53:10 -0400
Subject: [PATCH] fix: add openshell.io/sandbox-id annotation to sandbox pods

The gateway's K8s SA authenticator looks up the sandbox identity from
annotation openshell.io/sandbox-id on the pod, not the label
openshell.ai/sandbox-id. Add the annotation to podTemplate metadata
so IssueSandboxToken succeeds after TokenReview.

The existing label is kept for backwards compatibility.

Fixes: kagenti/kagenti#1815

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
---
 internal/driver/provisioner.go      |  8 +++++++-
 internal/driver/provisioner_test.go | 24 ++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/internal/driver/provisioner.go b/internal/driver/provisioner.go
index b2041a5..b08eef0 100644
--- a/internal/driver/provisioner.go
+++ b/internal/driver/provisioner.go
@@ -28,6 +28,7 @@ const (
 	labelKagentiInject  = "kagenti.io/inject"
 	labelTenant         = "openshell.ai/tenant"
 	labelKagentiTeam    = "kagenti.io/team"
+	annotationSandboxID = "openshell.io/sandbox-id"
 )
 
 // K8sProvisioner implements SandboxProvisioner using the Kubernetes API. It
@@ -380,10 +381,15 @@ func (p *K8sProvisioner) buildSandboxSpec(sb *pb.DriverSandbox) map[string]inter
 		podLabels[labelKagentiTeam] = p.cfg.Tenant
 	}
 
+	podAnnotations := map[string]interface{}{
+		annotationSandboxID: sb.GetId(),
+	}
+
 	return map[string]interface{}{
 		"podTemplate": map[string]interface{}{
 			"metadata": map[string]interface{}{
-				"labels": podLabels,
+				"labels":      podLabels,
+				"annotations": podAnnotations,
 			},
 			"spec": podSpec,
 		},
diff --git a/internal/driver/provisioner_test.go b/internal/driver/provisioner_test.go
index 9f3c974..6ecabc6 100644
--- a/internal/driver/provisioner_test.go
+++ b/internal/driver/provisioner_test.go
@@ -343,6 +343,30 @@ func TestBuildSandboxSpec_Labels(t *testing.T) {
 	}
 }
 
+func TestBuildSandboxSpec_Annotations(t *testing.T) {
+	p := newProvisionerForTest(t)
+
+	sb := &pb.DriverSandbox{
+		Id: "sb-anno-123",
+		Spec: &pb.DriverSandboxSpec{
+			Template: &pb.DriverSandboxTemplate{
+				Image: "img:latest",
+			},
+		},
+	}
+
+	spec := p.buildSandboxSpec(sb)
+	podTemplate := spec["podTemplate"].(map[string]interface{})
+	meta := podTemplate["metadata"].(map[string]interface{})
+	annotations, ok := meta["annotations"].(map[string]interface{})
+	if !ok {
+		t.Fatal("expected annotations in podTemplate metadata")
+	}
+	if annotations[annotationSandboxID] != "sb-anno-123" {
+		t.Errorf("expected annotation %s=sb-anno-123, got %v", annotationSandboxID, annotations[annotationSandboxID])
+	}
+}
+
 func TestBuildSandboxSpec_TenantLabels(t *testing.T) {
 	cfg := testConfig()
 	cfg.Tenant = "team1"