feat: add customer-workload service account for pod isolation (#4455)

* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars

* [autofix.ci] apply automated fixes

* feat: dashboard UI for environment variables management

* fix comment and rename file

* fix file export name

* Remove unnecessary comments from add-env-vars

* add toasts for environment variable operations

* [autofix.ci] apply automated fixes

* fix: add try/catch error handling to env var mutations

* unfmt file

* [autofix.ci] apply automated fixes

* feat: decrypt env vars in CTRL workflow before passing to Krane

* feat: inject env vars into pod spec via Krane

* feat: add customer-workload service account for pod isolation

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andreas Thomas <[email protected]>

Author: 3 people

go/k8s/manifests/rbac.yaml

@@ -8,6 +8,19 @@ metadata:
     app: unkey
     component: krane
 
+---
+# Restricted service account for customer workloads
+# This account has NO permissions - customers cannot query the K8s API
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: customer-workload
+  namespace: unkey
+  labels:
+    app: unkey
+    component: customer
+# automountServiceAccountToken is also disabled at pod level for defense in depth
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole