telekom · ron96g · May 12, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
diff --git a/common/pkg/config/feature.go b/common/pkg/config/feature.go
@@ -50,6 +50,11 @@ var (
 	FeatureFileManager   Feature = NewFeature("file_manager", true)   // File Manager feature enabled by default
 )
 
+// SetFeatureEnabled sets the enabled state for a feature. Intended for tests.
+func SetFeatureEnabled(f Feature, enabled bool) {
+	features[f] = enabled
+}
+
 // logFeatureStates logs the enabled/disabled state of all registered features.
 func logFeatureStates() {
 	for f, enabled := range features {

diff --git a/controlplane-api/cmd/config/config.go b/controlplane-api/cmd/config/config.go
@@ -21,8 +21,9 @@ type ServerConfig struct {
 }
 
 type KubernetesConfig struct {
-	Enabled    bool   `yaml:"enabled"`
-	Kubeconfig string `yaml:"kubeconfig"` // optional, defaults to in-cluster config
+	Enabled     bool   `yaml:"enabled"`
+	Kubeconfig  string `yaml:"kubeconfig"`  // optional, defaults to in-cluster config
+	Environment string `yaml:"environment"` // environment scope for the scoped client
 }
 
 type DatabaseConfig struct {
@@ -56,7 +57,7 @@ type LogConfig struct {
 func DefaultConfig() *ServerConfig {
 	return &ServerConfig{
 		Database: DatabaseConfig{
-			URL: "postgres://localhost:5432/controlplane?sslmode=disable",
+			URL: "postgres://controlplane:controlplane@localhost:5432/controlplane?sslmode=disable",
 		},
 		Server: HTTPServerConfig{
 			Address: ":8443",
@@ -75,6 +76,10 @@ func DefaultConfig() *ServerConfig {
 		Log: LogConfig{
 			Level: "info",
 		},
+		Kubernetes: KubernetesConfig{
+			Enabled:     true,
+			Environment: "poc", // TODO: for now, this is fine. Needs to be refined later
+		},
 	}
 }
 

diff --git a/controlplane-api/cmd/main.go b/controlplane-api/cmd/main.go
@@ -20,6 +20,7 @@ import (
 	cserver "github.com/telekom/controlplane/common-server/pkg/server"
 	"github.com/telekom/controlplane/common-server/pkg/server/middleware/security"
 	"github.com/telekom/controlplane/common-server/pkg/server/serve"
+	cc "github.com/telekom/controlplane/common/pkg/client"
 	"github.com/vektah/gqlparser/v2/ast"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -41,8 +42,10 @@ import (
 	gqlcontroller "github.com/telekom/controlplane/controlplane-api/internal/graphql"
 	"github.com/telekom/controlplane/controlplane-api/internal/interceptor"
 	"github.com/telekom/controlplane/controlplane-api/internal/resolvers"
+	"github.com/telekom/controlplane/controlplane-api/internal/secrets"
 	"github.com/telekom/controlplane/controlplane-api/internal/service"
 	organizationv1 "github.com/telekom/controlplane/organization/api/v1"
+	secretsapi "github.com/telekom/controlplane/secret-manager/api"
 )
 
 var configFile string
@@ -76,18 +79,19 @@ func main() {
 			log.Error(err, "failed to create Kubernetes client")
 			os.Exit(1)
 		}
+		scopedClient := cc.NewScopedClient(k8sClient, cfg.Kubernetes.Environment)
 		services = service.Services{
-			Team:        service.NewTeamK8sService(k8sClient),
-			Application: service.NewApplicationK8sService(k8sClient),
-			Approval:    service.NewApprovalK8sService(k8sClient),
+			Team:        service.NewTeamK8sService(scopedClient),
+			Application: service.NewApplicationK8sService(scopedClient),
+			Approval:    service.NewApprovalK8sService(scopedClient),
 		}
 		log.Info("Kubernetes integration enabled")
 	} else {
 		log.Info("Kubernetes integration disabled, mutations will be unavailable")
 	}
 
-	srv := newGraphQLServer(client, services, cfg.Security.Enabled)
-
+	secretResolver := secrets.NewResolver(secretsapi.NewSecrets())
+	srv := newGraphQLServer(client, services, secretResolver, cfg.Security.Enabled)
 	appCfg := cserver.NewAppConfig()
 	appCfg.CtxLog = log
 	appCfg.EnableCors = true
@@ -176,8 +180,8 @@ func newK8sClient(cfg config.KubernetesConfig) (client.Client, error) {
 	return client.New(restConfig, client.Options{Scheme: scheme})
 }
 
-func newGraphQLServer(entClient *ent.Client, services service.Services, securityEnabled bool) *handler.Server {
-	srv := handler.New(resolvers.NewSchema(entClient, services))
+func newGraphQLServer(entClient *ent.Client, services service.Services, secretResolver *secrets.Resolver, securityEnabled bool) *handler.Server {
+	srv := handler.New(resolvers.NewSchema(entClient, services, secretResolver))
 	srv.AddTransport(transport.Options{})
 	srv.AddTransport(transport.GET{})
 	srv.AddTransport(transport.POST{})
@@ -187,8 +191,10 @@ func newGraphQLServer(entClient *ent.Client, services service.Services, security
 	srv.Use(extension.AutomaticPersistedQuery{
 		Cache: lru.New[string](100),
 	})
+	srv.SetErrorPresenter(gqlcontroller.ErrorPresenter)
 
 	srv.AroundOperations(gqlcontroller.ViewerFromBusinessContext(entClient, securityEnabled))
+	srv.AroundOperations(gqlcontroller.LogMutationUser())
 
 	return srv
 }
diff --git a/controlplane-api/config/default/deployment_patch.yaml b/controlplane-api/config/default/deployment_patch.yaml
@@ -15,3 +15,37 @@
     name: cert-volume
     mountPath: /etc/tls
     readOnly: true
+
+# [SECRET_MANAGER] This patch will configure the necessary service account token projection for the secret manager client
+- op: add
+  path: /spec/template/spec/volumes/0
+  value:
+    name: secretmgr-token
+    projected:
+      sources:
+        - serviceAccountToken:
+            path: token
+            expirationSeconds: 600
+            audience: secret-manager
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value:
+    name: secretmgr-token
+    mountPath: /var/run/secrets/secretmgr
+    readOnly: true
+
+# This patch will add the trust-manager bundle to the deployment
+# Only if trust-manager is installed, see https://cert-manager.io/docs/trust/trust-manager
+- op: add
+  path: /spec/template/spec/volumes/0
+  value:
+    name: trust-bundle
+    configMap:
+      name: secret-manager-trust-bundle
+
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value:
+    name: trust-bundle
+    mountPath: /var/run/secrets/trust-bundle
+    readOnly: true
diff --git a/controlplane-api/config/default/kustomization.yaml b/controlplane-api/config/default/kustomization.yaml
@@ -42,10 +42,14 @@ configMapGenerator:
 
 patches:
   # This is only needed when using the cert-manager to issue certificates.
+  # [SECRET_MANAGER] The following patch will add the secret manager to the deployment.
   - path: deployment_patch.yaml
     target:
       kind: Deployment
       name: controlplane-api
+  - path: namespace_patch.yaml
+    target:
+      kind: Namespace
 
 # This is only needed when using the cert-manager to issue certificates.
 replacements:

diff --git a/controlplane-api/config/default/namespace_patch.yaml b/controlplane-api/config/default/namespace_patch.yaml
@@ -0,0 +1,8 @@
+# Copyright 2025 Deutsche Telekom IT GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# This patch is only needed when you want to use the network policy
+- op: add
+  path: /metadata/labels/cp.ei.telekom.de~1secret-manager
+  value: "enabled"