KNOX:3353: Add Docker-based integration tests for k8s ServiceAccountValidator

[smolnar82]

KNOX-3353 - Add Docker-based integration tests for the k8s ServiceAccountValidator

What changes were proposed in this pull request?

Adds Docker Compose integration test coverage for the new k8s pre-auth ServiceAccountValidator (SPIFFE id → ServiceAccount annotation matching).

• compose/docker-compose.yml — adds a single-node k3s service (real API server for the fabric8 client to talk to) and a one-shot k8s-bootstrap service that derives a Knox-reachable kubeconfig (server rewritten to https://k3s:6443, matched by --tls-san=k3s) and applies the test fixtures. The knox service mounts that kubeconfig (KUBECONFIG) and waits for bootstrap to complete. The kubeconfig is re-derived inside the readiness loop so it always converges on k3s's live CA, even across volume reuse/restarts.
• compose/k8s/manifests/test-sa.yaml — namespace test + test-sa ServiceAccount annotated knox.apache.org/owner-username: bob.
• build/conf/topologies/k8sauth.xml + Dockerfile — bakes a k8sauth topology (HeaderPreAuth federation backed by ServiceAccountValidator, fronting the HEALTH service).
• tests/test_k8s_serviceaccount_validation.py — new pytest cases.

How was this patch tested?

Ran the full Docker Compose suite locally:

docker compose -f ./.github/workflows/compose/docker-compose.yml down --volumes
docker compose -f ./.github/workflows/compose/docker-compose.yml up --exit-code-from tests tests

All 28 tests pass, including the 6 new ones. No production code changed — this is test infrastructure only:

tests-1  | ============================= test session starts ==============================
tests-1  | platform linux -- Python 3.10.20, pytest-8.3.4, pluggy-1.6.0
tests-1  | rootdir: /tests
tests-1  | collected 28 items
tests-1  | 
tests-1  | test_health.py .....                                                     [ 17%]
tests-1  | test_k8s_serviceaccount_validation.py ......                             [ 39%]
tests-1  | test_knox_auth_service_and_ldap.py ...                                   [ 50%]
tests-1  | test_knox_configs.py .                                                   [ 53%]
tests-1  | test_knoxauth_preauth_and_paths.py ......                                [ 75%]
tests-1  | test_remote_auth.py ...                                                  [ 85%]
tests-1  | test_remoteauth_extauthz_additional_path.py ....                         [100%]
tests-1  | 
tests-1  | =============================== warnings summary ===============================
...
tests-1  | 
tests-1  | -- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
tests-1  | ----------------- generated xml file: /tests/test-results.xml ------------------
tests-1  | ======================= 28 passed, 28 warnings in 1.43s ========================

Integration Tests

Added tests/test_k8s_serviceaccount_validation.py against the k8sauth topology:

• asserted user matching the SA annotation (bob) → 200 / OK
• mismatched user (sam) → 403
• missing SPIFFE header, missing user header, unparseable SPIFFE id, unknown ServiceAccount → 403

UI changes

N/A

[github-actions]

Test Results

28 tests   28 ✅  3s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit 3951112.