feat: add AWS Bedrock provider with SigV4 authentication

- Add SigV4AuthGenerator implementing AuthHeadersGenerator, using
  AWS SDK v2 signer to produce Authorization, X-Amz-Date,
  X-Amz-Content-Sha256, and X-Amz-Security-Token headers
- Introduce dataEnrichers map on ApiKeyInjectionPlugin to enrich
  the credentials map with per-request data (body, endpoint) before
  signing, keeping the AuthHeadersGenerator interface unchanged
- Thread ExternalModel.spec.endpoint through reconciler →
  modelInfoStore → CycleState → enricher → SigV4 signer, and
  extract the AWS region from the endpoint hostname
- Add provider constant aws-bedrock and CycleState key endpoint
- Add unit tests for SigV4 signing, region extraction, credential
  enrichment, session token handling, and missing-endpoint error path

Author: noalimoy

go.mod

@@ -16,6 +16,8 @@ require (
 
 require (
 	github.com/Masterminds/semver/v3 v3.4.0 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.41.7 // indirect
+	github.com/aws/smithy-go v1.25.1 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/google/pprof v0.0.0-20260402051712-545e8a4df936 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect

go.sum

@@ -6,6 +6,10 @@ github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/aws/aws-sdk-go-v2 v1.41.7 h1:DWpAJt66FmnnaRIOT/8ASTucrvuDPZASqhhLey6tLY8=
+github.com/aws/aws-sdk-go-v2 v1.41.7/go.mod h1:4LAfZOPHNVNQEckOACQx60Y8pSRjIkNZQz1w92xpMJc=
+github.com/aws/smithy-go v1.25.1 h1:J8ERsGSU7d+aCmdQur5Txg6bVoYelvQJgtZehD12GkI=
+github.com/aws/smithy-go v1.25.1/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=

pkg/plugins/apikey-injection/auth/sigv4_auth_generator.go

@@ -0,0 +1,129 @@
+/*
+Copyright 2026 The opendatahub.io Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"context"
+	"crypto/sha256"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+)
+
+const (
+	awsAccessKeyField     = "aws-access-key-id"
+	awsSecretKeyField     = "aws-secret-access-key"
+	awsSessionTokenField  = "aws-session-token"
+	enrichedBodyField     = "_request_body"
+	enrichedEndpointField = "_endpoint"
+	enrichedPathField     = "_path"
+	bedrockService        = "bedrock"
+	defaultPath           = "/v1/chat/completions"
+)
+
+// compile-time interface check
+var _ AuthHeadersGenerator = &SigV4AuthGenerator{}
+
+// SigV4AuthGenerator generates AWS Signature Version 4 authentication headers.
+// All inputs (credentials, request body, endpoint) come from the credentialsData map,
+// where request-specific fields are injected by the credentials enricher.
+type SigV4AuthGenerator struct{}
+
+// GenerateAuthHeaders computes a SigV4 signature and returns the required AWS auth headers.
+// Expects the following keys in credentialsData:
+//   - "aws-access-key-id" and "aws-secret-access-key" (from the Kubernetes Secret)
+//   - "_request_body" and "_endpoint" (injected by the credentials enricher)
+//   - "aws-session-token" (optional, for temporary credentials)
+func (g *SigV4AuthGenerator) GenerateAuthHeaders(credentialsData map[string]string) (map[string]string, error) {
+	accessKey, ok := credentialsData[awsAccessKeyField]
+	if !ok || accessKey == "" {
+		return nil, fmt.Errorf("credentials missing required field %s", awsAccessKeyField)
+	}
+	secretKey, ok := credentialsData[awsSecretKeyField]
+	if !ok || secretKey == "" {
+		return nil, fmt.Errorf("credentials missing required field %s", awsSecretKeyField)
+	}
+
+	body, ok := credentialsData[enrichedBodyField]
+	if !ok {
+		return nil, fmt.Errorf("credentials missing required field %s (enricher not applied?)", enrichedBodyField)
+	}
+	endpoint, ok := credentialsData[enrichedEndpointField]
+	if !ok || endpoint == "" {
+		return nil, fmt.Errorf("credentials missing required field %s (enricher not applied?)", enrichedEndpointField)
+	}
+
+	region, err := regionFromEndpoint(endpoint)
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract region: %w", err)
+	}
+
+	creds := aws.Credentials{
+		AccessKeyID:     accessKey,
+		SecretAccessKey: secretKey,
+		SessionToken:    credentialsData[awsSessionTokenField],
+		Source:          "ExternalModelSecret",
+	}
+
+	bodyHash := sha256Hex([]byte(body))
+
+	path := credentialsData[enrichedPathField]
+	if path == "" {
+		path = defaultPath
+	}
+
+	req, err := http.NewRequest(http.MethodPost, "https://"+endpoint+path, strings.NewReader(body))
+	if err != nil {
+		return nil, fmt.Errorf("failed to build HTTP request for signing: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+
+	signer := v4.NewSigner()
+	if err := signer.SignHTTP(context.Background(), creds, req, bodyHash, bedrockService, region, time.Now()); err != nil {
+		return nil, fmt.Errorf("SigV4 signing failed: %w", err)
+	}
+
+	headers := map[string]string{
+		"Authorization":        req.Header.Get("Authorization"),
+		"X-Amz-Date":           req.Header.Get("X-Amz-Date"),
+		"X-Amz-Content-Sha256": bodyHash,
+	}
+	if creds.SessionToken != "" {
+		headers["X-Amz-Security-Token"] = creds.SessionToken
+	}
+
+	return headers, nil
+}
+
+// regionFromEndpoint extracts the AWS region from a Bedrock endpoint hostname.
+// e.g. "bedrock-runtime.us-east-1.amazonaws.com" → "us-east-1"
+func regionFromEndpoint(endpoint string) (string, error) {
+	parts := strings.Split(endpoint, ".")
+	if len(parts) < 4 {
+		return "", fmt.Errorf("invalid AWS endpoint format: %q (expected service.region.amazonaws.com)", endpoint)
+	}
+	return parts[1], nil
+}
+
+func sha256Hex(data []byte) string {
+	h := sha256.Sum256(data)
+	return fmt.Sprintf("%x", h)
+}

pkg/plugins/apikey-injection/auth/sigv4_auth_generator_test.go

@@ -0,0 +1,236 @@
+/*
+Copyright 2026 The opendatahub.io Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"strings"
+	"testing"
+)
+
+func TestSigV4AuthHeadersGenerator(t *testing.T) {
+	validCredentials := map[string]string{
+		"aws-access-key-id":     "AKIAIOSFODNN7EXAMPLE",
+		"aws-secret-access-key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+		"_request_body":         `{"model":"anthropic.claude-v2","prompt":"hello"}`,
+		"_endpoint":             "bedrock-runtime.us-east-1.amazonaws.com",
+	}
+
+	validCredentialsWithToken := map[string]string{
+		"aws-access-key-id":     "AKIAIOSFODNN7EXAMPLE",
+		"aws-secret-access-key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+		"aws-session-token":     "FwoGZXIvYXdzEBYaDH7example-session-token",
+		"_request_body":         `{"model":"anthropic.claude-v2","prompt":"hello"}`,
+		"_endpoint":             "bedrock-runtime.us-east-1.amazonaws.com",
+	}
+
+	tests := []struct {
+		name            string
+		credentials     map[string]string
+		wantHeaders     []string
+		wantAuthPrefix  string
+		wantNoHeader    string
+		wantBodyHash    bool
+		wantErrContains string
+	}{
+		{
+			name:           "valid credentials without session token",
+			credentials:    validCredentials,
+			wantHeaders:    []string{"Authorization", "X-Amz-Date", "X-Amz-Content-Sha256"},
+			wantAuthPrefix: "AWS4-HMAC-SHA256",
+			wantNoHeader:   "X-Amz-Security-Token",
+			wantBodyHash:   true,
+		},
+		{
+			name:           "valid credentials with session token",
+			credentials:    validCredentialsWithToken,
+			wantHeaders:    []string{"Authorization", "X-Amz-Date", "X-Amz-Content-Sha256", "X-Amz-Security-Token"},
+			wantAuthPrefix: "AWS4-HMAC-SHA256",
+			wantBodyHash:   true,
+		},
+		{
+			name: "missing access key returns error",
+			credentials: map[string]string{
+				"aws-secret-access-key": "secret",
+				"_request_body":         "{}",
+				"_endpoint":             "bedrock-runtime.us-east-1.amazonaws.com",
+			},
+			wantErrContains: "aws-access-key-id",
+		},
+		{
+			name: "missing secret key returns error",
+			credentials: map[string]string{
+				"aws-access-key-id": "AKIA...",
+				"_request_body":     "{}",
+				"_endpoint":         "bedrock-runtime.us-east-1.amazonaws.com",
+			},
+			wantErrContains: "aws-secret-access-key",
+		},
+		{
+			name: "missing request body returns error",
+			credentials: map[string]string{
+				"aws-access-key-id":     "AKIA...",
+				"aws-secret-access-key": "secret",
+				"_endpoint":             "bedrock-runtime.us-east-1.amazonaws.com",
+			},
+			wantErrContains: "_request_body",
+		},
+		{
+			name: "missing endpoint returns error",
+			credentials: map[string]string{
+				"aws-access-key-id":     "AKIA...",
+				"aws-secret-access-key": "secret",
+				"_request_body":         "{}",
+			},
+			wantErrContains: "_endpoint",
+		},
+		{
+			name: "invalid endpoint format returns error",
+			credentials: map[string]string{
+				"aws-access-key-id":     "AKIA...",
+				"aws-secret-access-key": "secret",
+				"_request_body":         "{}",
+				"_endpoint":             "localhost",
+			},
+			wantErrContains: "invalid AWS endpoint",
+		},
+		{
+			name: "empty access key returns error",
+			credentials: map[string]string{
+				"aws-access-key-id":     "",
+				"aws-secret-access-key": "secret",
+				"_request_body":         "{}",
+				"_endpoint":             "bedrock-runtime.us-east-1.amazonaws.com",
+			},
+			wantErrContains: "aws-access-key-id",
+		},
+		{
+			name:            "empty credentials returns error",
+			credentials:     map[string]string{},
+			wantErrContains: "aws-access-key-id",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			generator := &SigV4AuthGenerator{}
+			authHeaders, err := generator.GenerateAuthHeaders(test.credentials)
+
+			if test.wantErrContains != "" {
+				if err == nil {
+					t.Errorf("expected error containing %q but got nil", test.wantErrContains)
+				} else if !strings.Contains(err.Error(), test.wantErrContains) {
+					t.Errorf("expected error containing %q, got: %v", test.wantErrContains, err)
+				}
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			for _, header := range test.wantHeaders {
+				val, ok := authHeaders[header]
+				if !ok {
+					t.Errorf("expected header %q not found in result", header)
+					continue
+				}
+				if val == "" {
+					t.Errorf("header %q is empty", header)
+				}
+			}
+
+			if test.wantAuthPrefix != "" {
+				auth := authHeaders["Authorization"]
+				if !strings.HasPrefix(auth, test.wantAuthPrefix) {
+					t.Errorf("Authorization header should start with %q, got: %q", test.wantAuthPrefix, auth)
+				}
+			}
+
+			if test.wantNoHeader != "" {
+				if _, ok := authHeaders[test.wantNoHeader]; ok {
+					t.Errorf("header %q should not be present", test.wantNoHeader)
+				}
+			}
+
+			if test.wantBodyHash {
+				body := test.credentials["_request_body"]
+				expectedHash := fmt.Sprintf("%x", sha256.Sum256([]byte(body)))
+				if got := authHeaders["X-Amz-Content-Sha256"]; got != expectedHash {
+					t.Errorf("content hash mismatch: want %q, got %q", expectedHash, got)
+				}
+			}
+		})
+	}
+}
+
+func TestRegionFromEndpoint(t *testing.T) {
+	tests := []struct {
+		name       string
+		endpoint   string
+		wantRegion string
+		wantErr    bool
+	}{
+		{
+			name:       "standard bedrock endpoint",
+			endpoint:   "bedrock-runtime.us-east-1.amazonaws.com",
+			wantRegion: "us-east-1",
+		},
+		{
+			name:       "eu-west-1 region",
+			endpoint:   "bedrock-runtime.eu-west-1.amazonaws.com",
+			wantRegion: "eu-west-1",
+		},
+		{
+			name:       "ap-southeast-1 region",
+			endpoint:   "bedrock-runtime.ap-southeast-1.amazonaws.com",
+			wantRegion: "ap-southeast-1",
+		},
+		{
+			name:    "too few parts",
+			endpoint: "localhost",
+			wantErr: true,
+		},
+		{
+			name:    "only three parts",
+			endpoint: "bedrock.us-east-1.com",
+			wantErr: true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			region, err := regionFromEndpoint(test.endpoint)
+
+			if test.wantErr {
+				if err == nil {
+					t.Errorf("expected error but got nil")
+				}
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			if region != test.wantRegion {
+				t.Errorf("region mismatch: want %q, got %q", test.wantRegion, region)
+			}
+		})
+	}
+}