feat: add bedrock credential type for AWS Bedrock authentication

[knechtionscoding]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Add a new bedrock credential type that injects AWS environment variables (CLAUDE_CODE_USE_BEDROCK, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION) from a referenced Secret, with optional support for AWS_SESSION_TOKEN and ANTHROPIC_BEDROCK_BASE_URL.

Refactor credential injection into a centralized credentialEnvVars() function so that adding future providers (e.g. Vertex) requires only a new case block.

Changes:

• Add CredentialTypeBedrock constant and update CRD enum validation
• Add credentialEnvVars() to centralize credential env var injection for all types
• Support bedrock config block in CLI for auto-creating AWS credential secrets
• Add unit tests for bedrock credential injection
• Add example manifests in examples/09-bedrock-credentials/

Which issue(s) this PR is related to:

Fixes #780

Special notes for your reviewer:

• AWS_SESSION_TOKEN and ANTHROPIC_BEDROCK_BASE_URL are injected with Optional: true on the SecretKeySelector, so pods won't fail if those keys are absent from the Secret.
• The credentialEnvVars() refactor is a no-op for existing api-key and oauth types — it just moves the same logic into a single function.
• IRSA (IAM Roles for Service Accounts) is not yet supported as a first-class feature — it requires making secretRef optional, which is a separate API change. The IRSA workaround via podOverrides.env is documented in the example README.

Does this PR introduce a user-facing change?

Add `bedrock` credential type for running Claude Code tasks via AWS Bedrock. Create a Secret with `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_REGION` keys, then set `credentials.type: bedrock` on your Task.

---

Summary by cubic

Add a new bedrock credential type to run Claude Code via AWS Bedrock. Injects AWS env vars from a Secret, adds CLI/config to create/update it, and centralizes credential env var injection.

• New Features

  • CRD supports bedrock; injects CLAUDE_CODE_USE_BEDROCK=1, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, plus optional AWS_SESSION_TOKEN and ANTHROPIC_BEDROCK_BASE_URL.
  • CLI/config: new bedrock block; kelos run can create/update kelos-credentials; completion includes bedrock; examples in examples/09-bedrock-credentials/.
  • IRSA is not first-class yet; secretRef remains required (workaround documented in the example).

• Refactors

  • Introduce credentialEnvVars() and use it for api-key, oauth, and bedrock; add unit test for Bedrock injection.

^{Written for commit d0a18b6. Summary will update on new commits.}

[CLAassistant]

All committers have signed the CLA.

[cubic-dev-ai]

1 issue found across 9 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="examples/09-bedrock-credentials/README.md">

<violation number="1" location="examples/09-bedrock-credentials/README.md:61">
P2: IRSA example uses `type: api-key` with a dummy secret, but api-key credentials always inject a non-optional SecretKeyRef (ANTHROPIC_API_KEY). Without creating a dummy secret containing that key, the pod will fail to start; the README doesn’t mention this requirement.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Add one-off context when rerunning by tagging @cubic-dev-ai with guidance or docs links (including llms.txt)
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 26 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="api/v1alpha1/task_types.go">

<violation number="1" location="api/v1alpha1/task_types.go:103">
P2: Bedrock credentials validation allows IRSA mode without requiring `region`, so invalid specs can pass admission and fail at runtime.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Bedrock credentials validation allows IRSA mode without requiring region, so invalid specs can pass admission and fail at runtime.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At api/v1alpha1/task_types.go, line 103:

<comment>Bedrock credentials validation allows IRSA mode without requiring `region`, so invalid specs can pass admission and fail at runtime.</comment>

<file context>
@@ -86,6 +100,7 @@ type TaskSpec struct {
 
 	// Credentials specifies how to authenticate with the agent.
 	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:XValidation:rule="self.type == 'bedrock' || has(self.secretRef)",message="secretRef is required for api-key and oauth credential types"
 	Credentials Credentials `json:"credentials"`
 
</file context>

Suggested change

	// +kubebuilder:validation:XValidation:rule="self.type == 'bedrock' || has(self.secretRef)",message="secretRef is required for api-key and oauth credential types"
	// +kubebuilder:validation:XValidation:rule="self.type != 'bedrock' || has(self.secretRef) || self.region != ''",message="for bedrock, either secretRef or region is required"
	// +kubebuilder:validation:XValidation:rule="self.type == 'bedrock' || has(self.secretRef)",message="secretRef is required for api-key and oauth credential types"