feat(apikey): support custom metadata in token (#134)

### Motivation

Support custom metadata in the token.

Author: mattisonchao

cloud/data_source_apikey.go

@@ -18,7 +18,6 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
-	"github.com/streamnative/cloud-api-server/pkg/apis/cloud/v1alpha1"
 	"net/url"
 	"os"
 	"strings"
@@ -27,6 +26,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jwe"
+	"github.com/streamnative/cloud-api-server/pkg/apis/cloud/v1alpha1"
 	"github.com/streamnative/terraform-provider-streamnative/cloud/util"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -77,6 +77,11 @@ func dataSourceApiKey() *schema.Resource {
 				Computed:    true,
 				Description: descriptions["service_account_name"],
 			},
+			"customized_metadata": {
+				Type:        schema.TypeMap,
+				Computed:    true,
+				Description: descriptions["customized_metadata"],
+			},
 			"description": {
 				Type:        schema.TypeString,
 				Description: descriptions["description"],
@@ -149,6 +154,11 @@ func DataSourceApiKeyRead(ctx context.Context, d *schema.ResourceData, meta inte
 	if err = d.Set("instance_name", apiKey.Spec.InstanceName); err != nil {
 		return diag.FromErr(fmt.Errorf("ERROR_SET_INSTANCE_NAME: %w", err))
 	}
+	if apiKey.Spec.CustomizedMetadata != nil && len(apiKey.Spec.CustomizedMetadata) > 0 {
+		if err = d.Set("customized_metadata", apiKey.Spec.CustomizedMetadata); err != nil {
+			return diag.FromErr(fmt.Errorf("ERROR_SET_CUSTOMIZED_METADATA: %w", err))
+		}
+	}
 	if err = d.Set("service_account_name", apiKey.Spec.ServiceAccountName); err != nil {
 		return diag.FromErr(fmt.Errorf("ERROR_SET_SERVICE_ACCOUNT_NAME: %w", err))
 	}

cloud/provider.go

@@ -184,13 +184,14 @@ func init() {
 		"rolebinding_condition_resource_names_subscription":    "The conditional role binding resource name - subscription",
 		"rolebinding_condition_resource_names_service_account": "The conditional role binding resource name - service account",
 		"rolebinding_condition_resource_names_secret":          "The conditional role binding resource name - secret",
-		"volume_name":    "The name of the volume",
-		"bucket":         "The bucket name",
-		"path":           "The path of the bucket",
-		"bucket_region":  "The region of the bucket",
-		"role_arn":       "The role arn of the bucket, it is used to access the bucket",
-		"volume_ready":   "Volume is ready, it will be set to 'True' after the volume is ready",
-		"principal_name": "The principal name of apikey, it is the principal name of the service account that the apikey is associated with, it is used to grant permission on pulsar side",
+		"volume_name":         "The name of the volume",
+		"bucket":              "The bucket name",
+		"path":                "The path of the bucket",
+		"bucket_region":       "The region of the bucket",
+		"role_arn":            "The role arn of the bucket, it is used to access the bucket",
+		"volume_ready":        "Volume is ready, it will be set to 'True' after the volume is ready",
+		"principal_name":      "The principal name of apikey, it is the principal name of the service account that the apikey is associated with, it is used to grant permission on pulsar side",
+		"customized_metadata": "The custom metadata in the api key token",
 	}
 }
 

cloud/resource_apikey.go

@@ -86,6 +86,11 @@ func resourceApiKey() *schema.Resource {
 				ForceNew:    true,
 				Description: descriptions["instance_name"],
 			},
+			"customized_metadata": {
+				Type:        schema.TypeMap,
+				Optional:    true,
+				Description: descriptions["customized_metadata"],
+			},
 			"token": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -221,6 +226,14 @@ func resourceApiKeyCreate(ctx context.Context, d *schema.ResourceData, m interfa
 	}
 	revoke := d.Get("revoke").(bool)
 	ak.Spec.Revoke = revoke
+	metadata := d.Get("customized_metadata").(map[string]interface{})
+	if metadata != nil && len(metadata) > 0 {
+		customizedMetadata := map[string]string{}
+		for k, v := range metadata {
+			customizedMetadata[k] = v.(string)
+		}
+		ak.Spec.CustomizedMetadata = customizedMetadata
+	}
 	_, err = clientSet.CloudV1alpha1().APIKeys(namespace).Create(ctx, ak, metav1.CreateOptions{
 		FieldManager: "terraform-create",
 	})
@@ -331,6 +344,13 @@ func resourceApiKeyRead(ctx context.Context, d *schema.ResourceData, m interface
 	if err = d.Set("organization", apiKey.Namespace); err != nil {
 		return diag.FromErr(fmt.Errorf("ERROR_SET_ORGANIZATION: %w", err))
 	}
+
+	if apiKey.Spec.CustomizedMetadata != nil && len(apiKey.Spec.CustomizedMetadata) > 0 {
+		if err = d.Set("customized_metadata", apiKey.Spec.CustomizedMetadata); err != nil {
+			return diag.FromErr(fmt.Errorf("ERROR_SET_CUSTOMIZED_METADATA: %w", err))
+		}
+	}
+
 	if err = d.Set("name", apiKey.Name); err != nil {
 		return diag.FromErr(fmt.Errorf("ERROR_SET_NAME: %w", err))
 	}

examples/apikey/main.tf

@@ -35,6 +35,9 @@ resource "streamnative_apikey" "test-admin-a" {
   instance_name = "terraform-test-api-key-pulsar-instance"
   service_account_name = "test-tf-admin"
   description = "This is a test api key for terraform"
+  customized_metadata = {
+   "client_id": "abc"
+  }
   # If you want to revoke the api key, you can set revoke to true
   # By default, after revoking an apikey object, all connections using that apikey will
   # fail after 1 minute due to an authentication exception.

go.mod

@@ -10,20 +10,20 @@ require (
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.28.0
 	github.com/lestrrat-go/jwx/v2 v2.0.21
 	github.com/pkg/errors v0.9.1
-	github.com/streamnative/cloud-api-server v1.33.1-0.20250815224548-77ed42932280
+	github.com/streamnative/cloud-api-server v1.33.1-0.20250924010600-2dad16b92d25
 	github.com/streamnative/cloud-cli v0.22.0-rc.1
 	github.com/stretchr/testify v1.10.0
 	github.com/xhit/go-str2duration/v2 v2.1.0
-	k8s.io/apimachinery v0.30.9
+	k8s.io/apimachinery v0.32.3
 	k8s.io/cli-runtime v0.30.9
 	k8s.io/client-go v12.0.0+incompatible
 	k8s.io/kubectl v0.30.9
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e
 )
 
 require (
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
-	github.com/AthenZ/athenz v1.10.39 // indirect
+	github.com/AthenZ/athenz v1.12.13 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/DataDog/zstd v1.5.0 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
@@ -35,7 +35,7 @@ require (
 	github.com/actgardner/gogen-avro/v10 v10.2.1 // indirect
 	github.com/agext/levenshtein v1.2.2 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
-	github.com/apache/pulsar-client-go v0.13.1 // indirect
+	github.com/apache/pulsar-client-go v0.16.0-candidate-1.0.20250731021612-06f4dd8bcff0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/ardielle/ardielle-go v1.5.2 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
@@ -62,9 +62,10 @@ require (
 	github.com/fatih/camelcase v1.0.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/fvbommel/sortorder v1.1.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -79,15 +80,15 @@ require (
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/cel-go v0.21.0 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-jsonnet v0.20.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
 	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
-	github.com/hamba/avro/v2 v2.22.2-0.20240625062549-66aad10411d9 // indirect
+	github.com/hamba/avro/v2 v2.26.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-checkpoint v0.5.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -143,13 +144,13 @@ require (
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/onsi/gomega v1.35.1 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
+	github.com/pierrec/lz4/v4 v4.1.22 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/posener/complete v1.2.3 // indirect
-	github.com/prometheus/client_golang v1.19.1 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.48.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/prometheus/client_golang v1.20.5 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/russross/blackfriday v1.6.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
@@ -162,10 +163,10 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/streamnative/function-mesh/api v0.0.0-20240802074023-ee53ec49a51d // indirect
-	github.com/streamnative/sn-operator/api v0.13.0-rc.5 // indirect
-	github.com/streamnative/sn-operator/api/commons v0.13.0-rc.5 // indirect
-	github.com/streamnative/sn-operator/pkg/commons v0.13.0-rc.5 // indirect
-	github.com/streamnative/unified-rbac/sdk/sdk-go v0.13.0 // indirect
+	github.com/streamnative/sn-operator/api v0.13.0-rc.15 // indirect
+	github.com/streamnative/sn-operator/api/commons v0.13.0-rc.15 // indirect
+	github.com/streamnative/sn-operator/pkg/commons v0.13.0-rc.15 // indirect
+	github.com/streamnative/unified-rbac/sdk/sdk-go v0.14.0 // indirect
 	github.com/stripe/stripe-go/v74 v74.5.0 // indirect
 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
 	github.com/vmihailenco/msgpack/v5 v5.3.5 // indirect
@@ -175,14 +176,14 @@ require (
 	go.etcd.io/etcd/api/v3 v3.5.10 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.10 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.10 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
-	go.opentelemetry.io/otel v1.27.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
+	go.opentelemetry.io/otel v1.34.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
-	go.opentelemetry.io/otel/metric v1.27.0 // indirect
+	go.opentelemetry.io/otel/metric v1.34.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.27.0 // indirect
-	go.opentelemetry.io/otel/trace v1.27.0 // indirect
+	go.opentelemetry.io/otel/trace v1.34.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.2.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/atomic v1.11.0 // indirect
@@ -197,12 +198,12 @@ require (
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/term v0.30.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/time v0.7.0 // indirect
+	golang.org/x/time v0.10.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect
-	google.golang.org/grpc v1.64.1 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250227231956-55c901821b1e // indirect
+	google.golang.org/grpc v1.71.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect