Add EnableServiceAccountTokenInjection to CRD

deployments/crds/hephaestus.dominodatalab.com_imagebuilds.yaml

@@ -78,6 +78,11 @@ spec:
                 description: DisableCacheLayerExport will remove the "inline" cache
                   metadata from the image configuration.
                 type: boolean
+              enableServiceAccountTokenInjection:
+                description: EnableServiceAccountTokenInjection adds a service account
+                  JWT token as build-arg to the images. This supports use cases like
+                  model building that must access other Domino services
+                type: boolean
               images:
                 description: Images is a list of images to build and push.
                 items:

pkg/api/hephaestus/v1/imagebuild_types.go

@@ -32,6 +32,9 @@ type ImageBuildSpec struct {
 	DisableLocalBuildCache bool `json:"disableBuildCache,omitempty"`
 	// DisableCacheLayerExport will remove the "inline" cache metadata from the image configuration.
 	DisableCacheLayerExport bool `json:"disableCacheExport,omitempty"`
+	// EnableServiceAccountTokenInjection adds a service account JWT token as build-arg to the images.
+	// This supports use cases like model building that must access other Domino services
+	EnableServiceAccountTokenInjection bool `json:"enableServiceAccountTokenInjection,omitempty"`
 }
 
 type ImageBuildTransition struct {

pkg/controller/imagebuild/component/builddispatcher.go

@@ -185,8 +185,7 @@ func (c *BuildDispatcherComponent) Reconcile(ctx *core.Context) (ctrl.Result, er
 	}
 	clientInitSeg.End()
 
-	// TODO: Also inspect CR to determine if JWT injection is allowed
-	if c.keycloakCfg.Enabled {
+	if obj.Spec.EnableServiceAccountTokenInjection && c.keycloakCfg.Enabled {
 		kc := gocloak.NewClient(c.keycloakCfg.Server)
 		jwt, err := kc.LoginClient(buildCtx, c.keycloakCfg.ClientID, c.keycloakCfg.ClientSecret, c.keycloakCfg.Realm)
 		if err != nil {